The fslib project contains a collection of packages to parse file systems, archives and similar data. The included packages can be used to access disk images of with different partitioning and file systems. Additionally, file systems for live access to the currently mounted file system and registry (on Windows) are implemented.
All filesystems implement io/fs.
- Native OS file system (directory listing for Windows root provides list of drives)
- Windows Registry (live not from files)
- NTFS
- FAT16
- MBR
- GPT
- Buffer FS: Buffer accessed files of an underlying file system
- System FS: Similar to the native OS file system, but falls back to NTFS on failing access on Windows
- zipfs: A zip file system
- β Recursive FS: Access container files on file systems recursively, e.g.
"ntfs.dd/forensic.zip/Computer forensics - Wikipedia.pdf"
go get -u github.com/forensicanalysis/fslibfunc main() {
// Read the root directory on an NTFS disk image.
// open the disk image
image, _ := os.Open("filesystem/ntfs.dd")
// parse the file system
fsys, _ := ntfs.New(image)
// get filenames
entries, _ := fs.ReadDir(fsys, ".")
var filenames []string
for _, entry := range entries {
filenames = append(filenames, entry.Name())
}
// print filenames
fmt.Println(filenames)
}For feedback, questions and discussions you can use the Open Source DFIR Slack.