:py:mod:`dissect.ntfs.mft` ========================== .. py:module:: dissect.ntfs.mft Module Contents --------------- Classes ~~~~~~~ .. autoapisummary:: dissect.ntfs.mft.Mft dissect.ntfs.mft.MftRecord .. py:class:: Mft(fh: BinaryIO, ntfs: Optional[dissect.ntfs.ntfs.NTFS] = None) Interact with the ``$MFT`` (Master File Table). :param fh: A file-like object of the $MFT file. :param ntfs: An optional NTFS class instance. .. py:method:: __call__(ref, *args, **kwargs) -> MftRecord .. py:method:: root() -> MftRecord Return the root directory MFT record. .. py:method:: get(ref: Union[int, str, dissect.cstruct.Instance], root: Optional[MftRecord] = None) -> MftRecord Retrieve an MFT record using a variety of methods. Supported references are: - ``_MFT_SEGMENT_REFERENCE`` cstruct instance - integer segment number - string file path :param ref: Reference to retrieve the record by. :param root: Optional root record to start resolving from. Useful for relative path lookups. :raises TypeError: If the reference is of an unsupported type. .. py:method:: segments(start: int = 0, end: int = -1) -> Iterator[MftRecord] Yield all valid MFT records, regardless if they're allocated or not. :param start: The starting segment number. Use ``-1`` to start from the last segment. :param end: The ending segment number. Use ``-1`` to end with the last segment. .. py:class:: MftRecord MFT record parsing and interaction. Use the :func:`~MftRecord.from_fh` or :func:`~MftRecord.from_bytes` class methods to instantiate. .. py:attribute:: __hash__ .. py:method:: __repr__() -> str Return repr(self). .. py:method:: __eq__(other: Any) -> bool Return self==value. .. py:method:: from_fh(fh: BinaryIO, offset: int, ntfs: Optional[dissect.ntfs.ntfs.NTFS] = None) -> MftRecord :classmethod: Parse an MFT record from a file-like object. :param fh: The file-like object to parse an MFT record from. :param offset: The offset in the file-like object to parse the MFT record from. :param ntfs: An optional NTFS class instance. .. py:method:: from_bytes(data: bytes, ntfs: Optional[dissect.ntfs.ntfs.NTFS] = None) -> MftRecord :classmethod: Parse an MFT record from bytes. :param data: The bytes object to parse an MFT record from. :param ntfs: An optional NTFS class instance. :raises BrokenMftError: If the MFT record signature is invalid. .. py:method:: get(path: str) -> MftRecord Retrieve a :class:`MftRecord` relative to this one. :param path: The path to lookup. :raises MftNotAvailableError: If no MFT is available. .. py:method:: attributes() -> dissect.ntfs.util.AttributeMap Parse and return the attributes in this MFT record. ``$ATTRIBUTE_LIST``'s are only parsed if there's an MFT available on the NTFS object. :raises BrokenMftError: If an error occurred parsing the attributes. .. py:method:: resident() -> bool Return whether this record's default ``$DATA`` attribute is resident. .. py:method:: filename() -> Optional[str] Return the first file name, or ``None`` if this record has no file names. .. py:method:: filenames(ignore_dos: bool = False) -> list[str] Return all file names of this record. :param ignore_dos: Ignore DOS file name entries. .. py:method:: full_path(ignore_dos: bool = False) -> Optional[str] Return the first full path, or ``None`` if this record has no file names. :param ignore_dos: Ignore DOS file name entries. .. py:method:: full_paths(ignore_dos: bool = False) -> list[str] Return all full paths of this record. :param ignore_dos: Ignore DOS file name entries. .. py:method:: is_dir() -> bool Return whether this record is a directory. .. py:method:: is_file() -> bool Return whether this record is a file. .. py:method:: is_reparse_point() -> bool Return whether this record is a reparse point. .. py:method:: is_symlink() -> bool Return whether this record is a symlink reparse point. .. py:method:: is_mount_point() -> bool Return whether this record is a mount point reparse point. .. py:method:: reparse_point_name() -> str Return the (printable) name of this reparse point. .. py:method:: reparse_point_substitute_name() -> str Return the substitute name of this reparse point. .. py:method:: reparse_point_record() -> MftRecord Resolve a reparse point and return the target record. Note: absolute links (such as directory junctions) will *always* fail in the context of a single filesystem. Absolute links include the drive letter, of which we have no knowledge here. .. py:method:: open(name: str = '', attr_type: dissect.ntfs.c_ntfs.ATTRIBUTE_TYPE_CODE = ATTRIBUTE_TYPE_CODE.DATA, allocated: bool = False) -> BinaryIO Open a stream on the given stream name and type. :param name: The stream name, an empty string for the "default" data stream. :param attr_type: The attribute type to open a stream on. :param allocated: Whether to use the real stream size or the allocated stream size (i.e. include slack space). :raises FileNotFoundError: If there are no attributes with the given name and type. .. py:method:: size(name: str = '', attr_type: dissect.ntfs.c_ntfs.ATTRIBUTE_TYPE_CODE = ATTRIBUTE_TYPE_CODE.DATA, allocated: bool = False) -> int Return the stream size of the given stream name and type. :param name: The stream name, an empty string for the "default" data stream. :param attr_type: The attribute type to find the stream size of. :param allocated: Whether to use the real stream size or the allocated stream size (i.e. include slack space). :raises FileNotFoundError: If there are no attributes with the given name and type. .. py:method:: dataruns(name: str = '', attr_type: dissect.ntfs.c_ntfs.ATTRIBUTE_TYPE_CODE = ATTRIBUTE_TYPE_CODE.DATA) -> list[tuple[int, int]] Return the dataruns of the given stream name and type. :param name: The stream name, an empty string for the "default" data stream. :param attr_type: The attribute type to get the dataruns of. :raises FileNotFoundError: If there are no attributes with the given name and type. .. py:method:: has_stream(name: str = '', attr_type: dissect.ntfs.c_ntfs.ATTRIBUTE_TYPE_CODE = ATTRIBUTE_TYPE_CODE.DATA) -> bool Return whether or not this record has attributes with the given name and type. .. py:method:: index(name: str) -> dissect.ntfs.index.Index Open an index on this record. :param name: The index name to open. For example, ``"$I30"``. .. py:method:: iterdir(dereference: bool = False, ignore_dos: bool = False) -> Iterator[Union[dissect.ntfs.index.IndexEntry, MftRecord]] Yield directory entries of this record. :param dereference: Determines whether to resolve the :class:`~dissect.ntfs.index.IndexEntry`'s to :class:`MftRecord`'s. This impacts performance. :param ignore_dos: Ignore DOS file name entries. :raises NotADirectoryError: If this record is not a directory. .. py:method:: listdir(dereference: bool = False, ignore_dos: bool = False) -> dict[str, Union[dissect.ntfs.index.IndexEntry, MftRecord]] Return a dictionary of the directory entries of this record. :param dereference: Determines whether to resolve the :class:`~dissect.ntfs.index.IndexEntry`'s to :class:`MftRecord`'s. This impacts performance. :param ignore_dos: Ignore DOS file name entries. :raises NotADirectoryError: If this record is not a directory.