rekall :: plugins :: addrspaces :: aff4 :: AFF4AddressSpace :: Class AFF4AddressSpace

Class AFF4AddressSpace

Handle AFF4Map or AFF4Image type streams.

Since AFF4 volumes may contain multiple streams, we allow the stream to be specified inside the volume path. For example suppose the volume located at:

/home/mic/images/myimage.aff4

Contains a stream called PhysicalMemory, then we can specify the filename as:

/home/mic/images/myimage.aff4/PhysicalMemory

If we just specified the path to the volume, then this address space will pick the first AFF4 stream which has an aff4:category of lexicon.AFF4_MEMORY_PHYSICAL.

So if you have more than one physical memory stream in the same volume, you will need to specify the full path to the stream within the volume.

Nested Classes
	__metaclass__ Automatic Plugin Registration through metaclasses. (Inherited from rekall.addrspace.BaseAddressSpace)
	top_level_class This is the base class of all Address Spaces. (Inherited from rekall.addrspace.BaseAddressSpace)

Instance Methods

__init__(self, filename=None, **kwargs)
x.__init__(...) initializes x; see help(type(x)) for signature

source code

ConfigureSession(self, session)
Implement this method if you need to configure the session.

source code

file_mapping_offset(self, filename)
Returns the offset where the filename should be mapped.

source code

get_file_address_space(self, filename)
Return an address space for filename.

source code

get_mapped_offset(self, filename, file_offset=0)
Map the filename into the address space.

source code

describe(self, address)
Return a string describing an address.

source code

__eq__(self, other) (Inherited from rekall.addrspace.BaseAddressSpace)

source code

__repr__(self)
repr(x) (Inherited from rekall.addrspace.BaseAddressSpace)

source code

__str__(self)
str(x) (Inherited from rekall.addrspace.BaseAddressSpace)

source code

__unicode__(self) (Inherited from rekall.addrspace.BaseAddressSpace)

source code

add_run(self, virt_addr, file_address, file_len, address_space=None, data=None)
Add a new run to this address space. (Inherited from rekall.addrspace.RunBasedAddressSpace)

source code

as_assert(self, assertion, error=None)
Duplicate for the assert command (so that optimizations don't disable them) (Inherited from rekall.addrspace.BaseAddressSpace)

source code

cached_read_partial(self, addr, length)
Implement this to allow the caching mixin to cache these reads. (Inherited from rekall.addrspace.CachingAddressSpaceMixIn)

source code

close(self) (Inherited from rekall.addrspace.BaseAddressSpace)

source code

end(self) (Inherited from rekall.addrspace.BaseAddressSpace)

source code

get_address_ranges(self, start=0, end=4503599627370495)
Generates the runs which fall between start and end. (Inherited from rekall.addrspace.BaseAddressSpace)

source code

get_mappings(self, start=0, end=18446744073709551616)
Yields the mappings. (Inherited from rekall.addrspace.RunBasedAddressSpace)

source code

is_valid_address(self, addr)
Tell us if the address is valid (Inherited from rekall.addrspace.RunBasedAddressSpace)

source code

merge_base_ranges(self, start=0, end=4503599627370495)
Generates merged address ranges from get_mapping(). (Inherited from rekall.addrspace.BaseAddressSpace)

source code

read(self, addr, length) (Inherited from rekall.addrspace.CachingAddressSpaceMixIn)

source code

read_partial(self, addr, length) (Inherited from rekall.addrspace.CachingAddressSpaceMixIn)

source code

vtop(self, addr)
Returns the physical address for this virtual address. (Inherited from rekall.addrspace.RunBasedAddressSpace)

source code

vtop_run(self, addr)
Returns a Run object describing where addr can be read from. (Inherited from rekall.addrspace.RunBasedAddressSpace)

source code

write(self, addr, buf)
Write to the address space, if writable. (Inherited from rekall.addrspace.PagedReader)

source code

Inherited from object: __delattr__, __format__, __getattribute__, __hash__, __new__, __reduce__, __reduce_ex__, __setattr__, __sizeof__, __subclasshook__

Class Methods

ImplementationByClass(self, name)

source code

ImplementationByName(self, name)

source code

metadata(cls, name, default=None)
Obtain metadata about this address space. (Inherited from rekall.addrspace.BaseAddressSpace)

source code

Class Variables
	order = `90`
	CACHE_SIZE = `10` (Inherited from rekall.addrspace.CachingAddressSpaceMixIn)
	CHUNK_SIZE = `32768` (Inherited from rekall.addrspace.CachingAddressSpaceMixIn)
	PAGE_MASK = `-4096` (Inherited from rekall.addrspace.PagedReader)
	PAGE_SIZE = `4096` (Inherited from rekall.addrspace.PagedReader)
	classes = `{'AFF4AddressSpace': <class 'rekall.plugins.addrspac...` (Inherited from rekall.addrspace.BaseAddressSpace)
	classes_by_name = `{'': [<class 'rekall.addrspace.BufferAddress...` (Inherited from rekall.addrspace.BaseAddressSpace)
	name = `''` (Inherited from rekall.addrspace.BaseAddressSpace)
	plugin_feature = `'BaseAddressSpace'` (Inherited from rekall.addrspace.BaseAddressSpace)
	runs = `None` hash(x) (Inherited from rekall.addrspace.RunBasedAddressSpace)
	virtualized = `False` (Inherited from rekall.addrspace.BaseAddressSpace)
	volatile = `False` (Inherited from rekall.addrspace.BaseAddressSpace)