Skip to content

Home

Jump to bottom
maurermj08 edited this page Sep 10, 2016 · 1 revision

vftools

Virtual File Tools (vftools) is a small collection of Sleuth kit-esque command line digital forensics tools designed to provide read only access to a large range of digital storage. It is built on top of dfVFS. In addition, vftools comes with a helper library called dfvfs_util.py.

Install

Installation on Ubuntu is quite simple. Download vftools from github and unzip the file. Then run the install.sh script as root.

#Install vftools
wget https://github.com/maurermj08/vftools/archive/master.zip
unzip master.zip
cd vftools-*
sudo ./install.sh

Tools

Currently vftools comes with the following tools:

  • vfls - Lists files and directories
  • vfcat - Outputs the file to stdout
  • vfinfo - Displays pathspec/partition info

vfls

The vfls command lists files and directories of an evidence item or pathspec. This command is similar to fls. By default, it prints to standard out similar to fls. However, it also supports output to JSON, a Jinaj2 template, and to Elasticsearch.

usage: vfls [-h] [-c CUSTOM] [-e ELASTIC] [-i INDEX] [-l] [-n] [-j] [-q] [-r]
            [-v] [-z TIMEZONE]
            pathspec

Lists the files and directories of an evidence item or pathspec.

positional arguments:
  pathspec              Encoded pathspec or path to evidence

optional arguments:
  -h, --help            show this help message and exit
  -c CUSTOM, --custom CUSTOM
                        Outputs using a custom Jinja2 template, e.g. "{{ name
                        }}, {{ pathspec }}".
  -e ELASTIC, --elastic ELASTIC
                        Outputs results to the specified Elasticsearch URL,
                        e.g. localhost:9200.
  -i INDEX, --index INDEX
                        The Elasticsearch index.
  -l, --longformat      Display file details in long format: type, inode,
                        name, mod, acc, chg, cre, size, uid, gid.
  -n, --nopathspec      Hides the pathspec
  -j, --json            Outputs data to json object.
  -q, --quotepathspec   Puts single quotes around the pathspec, ignored if
                        nopathspec
  -r, --recursive       Recursively display directories
  -v, --version         Prints version
  -z TIMEZONE, --timezone TIMEZONE
                        The case sensitive tz database timezones, i.e. GMT,
                        "America/Los_Angeles. Default UTC.

vfcat

The vfcat command outputs the contents of the file at the provided pathspec to standard out.

usage: vfcat [-h] [-v] pathspec

Outputs the contents of a file based on its pathspec.

positional arguments:
  pathspec       Encoded pathspec

optional arguments:
  -h, --help     show this help message and exit
  -v, --version  Prints version

vfinfo

The vfinfo provides the pathspec information about a given file. This command is unique, for it can be run against any file (not just an image) to obtain the pathspec. This feature can be useful for viewing local files with Efetch.

usage: vfinfo [-h] [-v] [-q] pathspec

Gets the pathspec and other information from an evidence item or pathspec.

positional arguments:
  pathspec             Encoded pathspec or path to evidence

optional arguments:
  -h, --help           show this help message and exit
  -v, --version        Prints version
  -q, --quotepathspec  Puts single quotes around the pathspec
Clone this wiki locally