const: Constant Values

Constant values used by dbling.

common.const.IN_PAT_VAULT = re.compile('^/?home/\\.shadow/[0-9a-z]*?/vault/user/')

Regular expression pattern for including only the user’s files

common.const.ENC_PAT = re.compile('/ECRYPTFS_FNEK_ENCRYPTED\\.([^/]*)$')

Regular expression pattern for identifying encrypted files

common.const.SLICE_PAT = re.compile('.*(/home.*)')
common.const.CRX_URL = 'https://chrome.google.com/webstore/detail/%s'

URL used for downloading CRXs

common.const.ISO_TIME = '%Y-%m-%dT%H:%M:%SZ'

ISO format for date time values

common.const.DENTRY_FIELD_BYTES = 8

Number of bytes used by the dir entry fields (preceding the filename)

class common.const.FType[source]

File types as stored in directory entries in ext2, ext3, and ext4.

common.const.MODE_UNIX = {32768: 1, 16384: 2, 24576: 4, 40960: 7, 4096: 5, 8192: 3, 49152: 6}

Maps the octal values that stat returns from stat.S_IFMT to one of the regular Unix file types

common.const.TYPE_TO_NAME = {0: '-', 1: 'r', 2: 'd', 3: 'c', 4: 'b', 5: 'p', 6: 's', 7: 'l'}

Maps Unix file type numbers to the character used in DFXML to represent that file type

See: https://github.com/dfxml-working-group/dfxml_schema/blob/4c8aab566ea44d64313a5e559b1ecdce5348cecf/dfxml.xsd#L412

Other file types defined in DFXML schema

  • h - Shadow inode (Solaris)
  • w - Whiteout (OpenBSD)
  • v - Special (Used in The SleuthKit for added “Virtual” files, e.g. $FAT1)
class common.const.ModeTypeDT[source]

File types as stored in the file’s mode.

In Linux, fs.h defines these values and stores them in bits 12-15 of stat.st_mode, e.g. (i_mode >> 12) & 15. In fs.h, the names are prefixed with DT_, hence the name of this enum class. Here are the original definitions:

#define DT_UNKNOWN      0
#define DT_FIFO         1
#define DT_CHR          2
#define DT_DIR          4
#define DT_BLK          6
#define DT_REG          8
#define DT_LNK          10
#define DT_SOCK         12
#define DT_WHT          14
common.const.mode_to_unix(x)[source]

Return the UNIX version of the mode returned by stat.

common.const.ECRYPTFS_SIZE_THRESHOLDS = (84, 104, 124, 148, 168, 188, 212, 232, 252, -inf)

The index of these correspond with i such that 16*i is the lower bound and (16*(i+1))-1 is the upper bound for file name lengths that correspond to this value. Anything 16*9=144 or longer is invalid.

common.const.ECRYPTFS_FILE_HEADER_BYTES = 8192

Number of bytes used by eCryptfs for its header

common.const.USED_FIELDS = ('_c_num_child_dirs', '_c_num_child_files', '_c_mode', '_c_depth', '_c_type')

Fields used to calculate centroids

common.const.USED_TO_DB = {'_c_type': 'type', '_c_num_child_files': 'num_files', '_c_mode': 'perms', '_c_size': 'size', '_c_ctime': 'ctime', '_c_depth': 'depth', '_c_num_child_dirs': 'num_dirs'}

Mapping of USED_FIELDS to database colulmn names. USED_TO_DB doesn’t have the ttl_files field because it’s not explicitly stored in the graph object.