Trees       Indices       Help   
Rekall Memory Forensics
Package rekall :: Package plugins :: Package addrspaces :: Module ewf :: Class EWFAddressSpace
[frames] | no frames]

Class EWFAddressSpace

source code

An EWF capable address space.

In order for us to work we need: 1) There must be a base AS. 2) The first 6 bytes must be 45 56 46 09 0D 0A (EVF header)

NOTE: We currently only support opening a single segment file since it is passed from the base address space. This address space supports stacking.

Nested Classes
  __metaclass__
Automatic Plugin Registration through metaclasses. (Inherited from rekall.addrspace.BaseAddressSpace)
  top_level_class
This is the base class of all Address Spaces. (Inherited from rekall.addrspace.BaseAddressSpace)
Instance Methods
 
__init__(self, **kwargs)
x.__init__(...) initializes x; see help(type(x)) for signature		 source code
 
cached_read_partial(self, offset, length)
Implement our own read method for caching.		 source code
 
get_mappings(self, start=0, end=18446744073709551616)
Generates a sequence of Run() objects.		 source code
 
ConfigureSession(self, session_obj)
Implement this method if you need to configure the session. (Inherited from rekall.addrspace.BaseAddressSpace)		 source code
 
__eq__(self, other) (Inherited from rekall.addrspace.BaseAddressSpace) source code
 
__repr__(self)
repr(x) (Inherited from rekall.addrspace.BaseAddressSpace)		 source code
 
__str__(self)
str(x) (Inherited from rekall.addrspace.BaseAddressSpace)		 source code
 
__unicode__(self) (Inherited from rekall.addrspace.BaseAddressSpace) source code
 
as_assert(self, assertion, error=None)
Duplicate for the assert command (so that optimizations don't disable them) (Inherited from rekall.addrspace.BaseAddressSpace)		 source code
 
close(self) (Inherited from rekall.addrspace.BaseAddressSpace) source code
 
describe(self, addr)
Return a string describing an address. (Inherited from rekall.addrspace.BaseAddressSpace)		 source code
 
end(self) (Inherited from rekall.addrspace.BaseAddressSpace) source code
 
get_address_ranges(self, start=0, end=4503599627370495)
Generates the runs which fall between start and end. (Inherited from rekall.addrspace.BaseAddressSpace)		 source code
 
get_file_address_space(self, filename)
Implement this to return an address space for filename. (Inherited from rekall.addrspace.BaseAddressSpace)		 source code
 
get_mapped_offset(self, filename, offset)
Implement this if we can map files into this address space. (Inherited from rekall.addrspace.BaseAddressSpace)		 source code
 
is_valid_address(self, _addr)
Tell us if the address is valid (Inherited from rekall.addrspace.BaseAddressSpace)		 source code
 
merge_base_ranges(self, start=0, end=4503599627370495)
Generates merged address ranges from get_mapping(). (Inherited from rekall.addrspace.BaseAddressSpace)		 source code
 
read(self, addr, length) (Inherited from rekall.addrspace.CachingAddressSpaceMixIn) source code
 
read_partial(self, addr, length) (Inherited from rekall.addrspace.CachingAddressSpaceMixIn) source code
 
vtop(self, addr)
Return the physical address of this virtual address. (Inherited from rekall.addrspace.BaseAddressSpace)		 source code
 
vtop_run(self, addr)
Returns a Run object describing where addr can be read from. (Inherited from rekall.addrspace.BaseAddressSpace)		 source code
 
write(self, addr, buf)
Write to the address space, if writable. (Inherited from rekall.addrspace.BaseAddressSpace)		 source code

Inherited from object: __delattr__, __format__, __getattribute__, __hash__, __new__, __reduce__, __reduce_ex__, __setattr__, __sizeof__, __subclasshook__

Class Methods
 
ImplementationByClass(self, name) source code
 
ImplementationByName(self, name) source code
 
metadata(cls, name, default=None)
Obtain metadata about this address space. (Inherited from rekall.addrspace.BaseAddressSpace)		 source code
Class Variables
  order = 20
  CACHE_SIZE = 10 (Inherited from rekall.addrspace.CachingAddressSpaceMixIn)
  CHUNK_SIZE = 32768 (Inherited from rekall.addrspace.CachingAddressSpaceMixIn)
  classes = {'AFF4AddressSpace': <class 'rekall.plugins.addrspac... (Inherited from rekall.addrspace.BaseAddressSpace)
  classes_by_name = {'': [<class 'rekall.addrspace.BufferAddress... (Inherited from rekall.addrspace.BaseAddressSpace)
  name = '' (Inherited from rekall.addrspace.BaseAddressSpace)
  plugin_feature = 'BaseAddressSpace' (Inherited from rekall.addrspace.BaseAddressSpace)
  virtualized = False (Inherited from rekall.addrspace.BaseAddressSpace)
  volatile = False (Inherited from rekall.addrspace.BaseAddressSpace)
Properties

Inherited from object: __class__

Method Details

__init__(self, **kwargs)
(Constructor)

source code 

x.__init__(...) initializes x; see help(type(x)) for signature

Overrides: object.__init__
(inherited documentation)

cached_read_partial(self, offset, length)

source code 

Implement our own read method for caching.

Overrides: addrspace.CachingAddressSpaceMixIn.cached_read_partial

get_mappings(self, start=0, end=18446744073709551616)

source code  
Generates a sequence of Run() objects.

Each Run object describes a single range transformation from this
address space to another address space at a potentially different
mapped_offset.

Runs are assumed to not overlap and are generated in increasing order.

Args:
  start: The suggested start address we are interested in. This function
      may omit runs that lie entirely below this start address. Note:
      Runs are not adjusted to begin at the start address - it may be
      possible that this method returns a run which starts earlier than
      the specified start address.
Overrides: addrspace.BaseAddressSpace.get_mappings
(inherited documentation)

ImplementationByClass(self, name)
Class Method

source code 
Overrides: addrspace.BaseAddressSpace.ImplementationByClass

ImplementationByName(self, name)
Class Method

source code 
Overrides: addrspace.BaseAddressSpace.ImplementationByName

   Trees       Indices       Help   
Rekall Memory Forensics
Generated by Epydoc 3.0.1 on Mon Oct 9 03:27:59 2017 http://epydoc.sourceforge.net