Dissect is a digital forensics & incident response framework and toolset that allows you to quickly access and analyse forensic artefacts from various disk and file formats, developed by Fox-IT (part of NCC Group)
Verified details
These details have been verified by PyPIProject links
GitHub Statistics
Maintainers
Project description
dissect
Dissect is a digital forensics & incident response framework and toolset that allows you to quickly access and analyse forensic artefacts from various disk and file formats, developed by Fox-IT (part of NCC Group).
This project is a meta package, it will install all other Dissect modules with the right combination of versions. For more information, please see the documentation.
What is Dissect?
Dissect is an incident response framework build from various parsers and implementations of file formats. Tying this all together, Dissect allows you to work with tools named target-query and target-shell to quickly gain access to forensic artefacts, such as Runkeys, Prefetch files, and Windows Event Logs, just to name a few!
Singular approach
And the best thing: all in a singular way, regardless of underlying container (E01, VMDK, QCoW), filesystem (NTFS, ExtFS, FFS), or Operating System (Windows, Linux, ESXi) structure / combination. You no longer have to bother extracting files from your forensic container, mount them (in case of VMDKs and such), retrieve the MFT, and parse it using a separate tool, to finally create a timeline to analyse. This is all handled under the hood by Dissect in a user-friendly manner.
If we take the example above, you can start analysing parsed MFT entries by just using a command like target-query -f mft <PATH_TO_YOUR_IMAGE>!
Create a lightweight container using Acquire
Dissect also provides you with a tool called acquire. You can deploy this tool on endpoint(s) to create a lightweight container of these machine(s). What is convenient as well, is that you can deploy acquire on a hypervisor to quickly create lightweight containers of all the (running) virtual machines on there! All without having to worry about file-locks. These lightweight containers can then be analysed using the tools like target-query and target-shell, but feel free to use other tools as well.
A modular setup
Dissect is made with a modular approach in mind. This means that each individual project can be used on its own (or in combination) to create a completely new tool for your engagement or future use!
Try it out now!
Interested in trying it out for yourself? You can simply pip install dissect and start using the target-* tooling right away. Or you can use the interactive playground at https://try.dissect.tools to try Dissect in your browser.
Don’t know where to start? Check out the introduction page.
Want to get a detailed overview? Check out the overview page.
Want to read everything? Check out the documentation.
Community
Join our Discord server to connect with the community and get support.
Projects
Dissect currently consists of the following projects.
- dissect.archive
- dissect.btrfs
- dissect.cim
- dissect.clfs
- dissect.cramfs
- dissect.cstruct
- dissect.esedb
- dissect.etl
- dissect.eventlog
- dissect.evidence
- dissect.executable
- dissect.extfs
- dissect.fat
- dissect.ffs
- dissect.fve
- dissect.hypervisor
- dissect.jffs
- dissect.ntfs
- dissect.ole
- dissect.qnxfs
- dissect.regf
- dissect.shellitem
- dissect.sql
- dissect.squashfs
- dissect.target
- dissect.thumbcache
- dissect.util
- dissect.vmfs
- dissect.volume
- dissect.xfs
Related
These projects are closely related to Dissect, but not installed by this meta package.
Requirements
This project is part of the Dissect framework and requires Python.
Information on the supported Python versions can be found in the Getting Started section of the documentation.
Installation
dissect is available on PyPI.
pip install dissect
Build and test instructions
This project uses tox to build source and wheel distributions. Run the following command from the root folder to build
these:
tox -e build
The build artifacts can be found in the dist/ directory.
tox is also used to run linting and unit tests in a self-contained environment. To run both linting and unit tests
using the default installed Python version, run:
tox
For a more elaborate explanation on how to build and test the project, please see the documentation.
Contributing
The Dissect project encourages any contribution to the codebase. To make your contribution fit into the project, please refer to the development guide.
Copyright and license
Dissect is released as open source by Fox-IT (https://www.fox-it.com) part of NCC Group Plc (https://www.nccgroup.com).
Developed by the Dissect Team (dissect@fox-it.com) and made available at https://github.com/fox-it/dissect.
License terms: AGPL3 (https://www.gnu.org/licenses/agpl-3.0.html). For more information, see the LICENSE file.
Project details
Verified details
These details have been verified by PyPIProject links
GitHub Statistics
Maintainers
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file dissect-3.21.tar.gz.
File metadata
- Download URL: dissect-3.21.tar.gz
- Upload date:
- Size: 16.9 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
d3e496408cb9417deebec810a6ae52db7192154f26cfa46cf4007d5e5afeadf2
|
|
| MD5 |
fd7c18dc155d64e73d9624f0d088ceb6
|
|
| BLAKE2b-256 |
486620462d5725fb38e33b9ef5464b8cd4f4b0a9b07055180c6656b0e29592e1
|
Provenance
The following attestation bundles were made for dissect-3.21.tar.gz:
Publisher:
dissect-ci.yml on fox-it/dissect
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
dissect-3.21.tar.gz -
Subject digest:
d3e496408cb9417deebec810a6ae52db7192154f26cfa46cf4007d5e5afeadf2 - Sigstore transparency entry: 725016943
- Sigstore integration time:
-
Permalink:
fox-it/dissect@5fa5abaeccc8753b4328a2ec410d556b3511b4d4 -
Branch / Tag:
refs/tags/3.21 - Owner: https://github.com/fox-it
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
dissect-ci.yml@5fa5abaeccc8753b4328a2ec410d556b3511b4d4 -
Trigger Event:
push
-
Statement type:
File details
Details for the file dissect-3.21-py3-none-any.whl.
File metadata
- Download URL: dissect-3.21-py3-none-any.whl
- Upload date:
- Size: 16.2 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
1fe82677e7ebc7b17bc92f4d1990021925c6b7b036b967c3ba959e1a04a0a852
|
|
| MD5 |
fc8f4888a7eee81cec3d70b2dda88c69
|
|
| BLAKE2b-256 |
4dccb07ab1b146c42ef90365c83c0b3f58733e18207fd84745cd82f8a839168d
|
Provenance
The following attestation bundles were made for dissect-3.21-py3-none-any.whl:
Publisher:
dissect-ci.yml on fox-it/dissect
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
dissect-3.21-py3-none-any.whl -
Subject digest:
1fe82677e7ebc7b17bc92f4d1990021925c6b7b036b967c3ba959e1a04a0a852 - Sigstore transparency entry: 725016946
- Sigstore integration time:
-
Permalink:
fox-it/dissect@5fa5abaeccc8753b4328a2ec410d556b3511b4d4 -
Branch / Tag:
refs/tags/3.21 - Owner: https://github.com/fox-it
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
dissect-ci.yml@5fa5abaeccc8753b4328a2ec410d556b3511b4d4 -
Trigger Event:
push
-
Statement type:
