dissect.ntfs.attr
¶
Module Contents¶
Classes¶
Parse and interact with MFT attributes. |
|
Parse attribute headers. |
|
Parse attribute records. |
|
Specific |
|
Specific |
|
Specific |
|
Specific |
Attributes¶
- class dissect.ntfs.attr.Attribute(header: AttributeHeader, record: dissect.ntfs.mft.MftRecord | None = None)¶
Parse and interact with MFT attributes.
Wrapper for an
AttributeHeader
andAttributeRecord
combination.- Parameters:
record – The MFT record this attribute belongs to.
header – The AttributeHeader for this Attribute.
- property type: dissect.ntfs.c_ntfs.ATTRIBUTE_TYPE_CODE¶
Return the attribute type.
- property resident: bool¶
Return whether this attribute is resident or not.
- property name: str¶
Return the name of this attribute.
- __slots__ = ('record', 'header', 'attribute')¶
- __getattr__(attr: str) Any ¶
- __repr__() str ¶
Return repr(self).
- classmethod from_fh(fh: BinaryIO, record: dissect.ntfs.mft.MftRecord | None = None) Attribute ¶
Parse an attribute from a file-like object.
- Parameters:
fh – The file-like object to parse an attribute from.
record – The MFT record this attribute belongs to.
- classmethod from_bytes(data: bytes, record: dissect.ntfs.mft.MftRecord | None = None) Attribute ¶
Parse an attribute from bytes.
- Parameters:
data – The bytes to parse.
record – The MFT record this attribute belongs to.
- dataruns() list[tuple[int, int]] ¶
Return the dataruns of this attribute, if non-resident.
- Raises:
TypeError – If attribute is resident.
- open() BinaryIO ¶
Open a file-like object for this attribute’s data.
- Raises:
VolumeNotAvailableError – If no volume is available.
- data() bytes ¶
Read and return all the data of this attribute.
- Raises:
VolumeNotAvailableError – If no volume is available.
- class dissect.ntfs.attr.AttributeHeader(fh: BinaryIO, offset: int, record: dissect.ntfs.mft.MftRecord | None = None)¶
Parse attribute headers.
- Parameters:
record – The MFT record this attribute belongs to.
fh – The file-like object to parse an attribute header from.
offset – The offset in the file-like object to parse an attribute header from.
- property type: dissect.ntfs.c_ntfs.ATTRIBUTE_TYPE_CODE¶
Return the attribute type.
- property resident: bool¶
Return whether this attribute is resident or not.
- property record_length: int¶
Return the record length of this attribute.
- property name: str¶
Return the name of this attribute.
- property flags: int¶
Return the attribute flags.
- property size: int¶
Return the data size of this attribute.
- property allocated_size: int | None¶
Return the allocated size if non-resident, else None.
- property lowest_vcn: int | None¶
Return the lowest VCN if non-resident, else None.
- property highest_vcn: int | None¶
Return the highest VCN if non-resident, else None.
- property compression_unit: int | None¶
Return the compression unit if non-resident, else None.
- __slots__ = ('record', 'fh', 'offset', 'header')¶
- __repr__() str ¶
Return repr(self).
- classmethod from_bytes(data: bytes, record: dissect.ntfs.mft.MftRecord | None = None) AttributeHeader ¶
Parse an attribute header from bytes.
- Parameters:
data – The bytes to parse.
record – The MFT record this attribute belongs to.
- dataruns() list[tuple[int, int]] ¶
Return the dataruns of this attribute, if non-resident.
- Raises:
TypeError – If attribute is resident.
- open() BinaryIO ¶
Open a file-like object for this attribute’s data.
- Raises:
VolumeNotAvailableError – If no volume is available.
- data() bytes ¶
Read and return all the data of this attribute.
- Raises:
VolumeNotAvailableError – If no volume is available.
- class dissect.ntfs.attr.AttributeRecord(fh: BinaryIO, record: dissect.ntfs.mft.MftRecord | None = None)¶
Parse attribute records.
- Parameters:
record – The MFT record this attribute belongs to.
fh – The file-like object to parse an attribute record from.
- __slots__ = ('record',)¶
- classmethod from_fh(fh: BinaryIO, attr_type: dissect.ntfs.c_ntfs.ATTRIBUTE_TYPE_CODE, record: dissect.ntfs.mft.MftRecord | None = None) AttributeRecord ¶
Parse an attribute from a file-like object.
Selects a more specific
AttributeRecord
class if one is available for the given attribute type.- Parameters:
fh – The file-like object to parse an attribute from.
attr_type – The attribute type to parse.
record – The MFT record this attribute belongs to.
- class dissect.ntfs.attr.AttributeList(fh: BinaryIO, record: dissect.ntfs.mft.MftRecord | None = None)¶
Bases:
AttributeRecord
Specific
AttributeRecord
parser for$ATTRIBUTE_LIST
.- __slots__ = ('entries',)¶
- __repr__() str ¶
Return repr(self).
- class dissect.ntfs.attr.StandardInformation(fh: BinaryIO, record: dissect.ntfs.mft.MftRecord | None = None)¶
Bases:
AttributeRecord
Specific
AttributeRecord
parser for$STANDARD_INFORMATION
.- property creation_time: datetime.datetime¶
Return the
$STANDARD_INFORMATION
CreationTime
.
- property creation_time_ns: int¶
Return the
$STANDARD_INFORMATION
CreationTime
in nanoseconds.
- property last_modification_time: datetime.datetime¶
Return the
$STANDARD_INFORMATION
LastModificationTime
.
- property last_modification_time_ns: int¶
Return the
$STANDARD_INFORMATION
LastModificationTime
in nanoseconds.
- property last_change_time: datetime.datetime¶
Return the
$STANDARD_INFORMATION
LastChangeTime
.
- property last_change_time_ns: int¶
Return the
$STANDARD_INFORMATION
LastChangeTime
in nanoseconds.
- property last_access_time: datetime.datetime¶
Return the
$STANDARD_INFORMATION
LastAccessTime
.
- property last_access_time_ns: int¶
Return the
$STANDARD_INFORMATION
LastAccessTime
in nanoseconds.
- property file_attributes: int¶
Return the
$STANDARD_INFORMATION
FileAttributes
.
- property owner_id: int¶
Return the
$STANDARD_INFORMATION
OwnerId
.
- property security_id: int¶
Return the
$STANDARD_INFORMATION
SecurityId
.
- __slots__ = ('attr',)¶
- __repr__() str ¶
Return repr(self).
- class dissect.ntfs.attr.FileName(fh: BinaryIO, record: dissect.ntfs.mft.MftRecord | None = None)¶
Bases:
AttributeRecord
Specific
AttributeRecord
parser for$FILE_NAME
.- property creation_time: datetime.datetime¶
Return the
$FILE_NAME``file ``CreationTime
.
- property creation_time_ns: int¶
Return the
$FILE_NAME
fileCreationTime
in nanoseconds.
- property last_modification_time: datetime.datetime¶
Return the
$FILE_NAME
fileLastModificationTime
.
- property last_modification_time_ns: int¶
Return the
$FILE_NAME
fileLastModificationTime
in nanoseconds.
- property last_change_time: datetime.datetime¶
Return the
$FILE_NAME
fileLastChangeTime
.
- property last_change_time_ns: int¶
Return the
$FILE_NAME
fileLastChangeTime
in nanoseconds.
- property last_access_time: datetime.datetime¶
Return the
$FILE_NAME
fileLastAccessTime
.
- property last_access_time_ns: int¶
Return the
$FILE_NAME
fileLastAccessTime
in nanoseconds.
- property file_size: int¶
Return the
$FILE_NAME
fileFileSize
.
- property file_attributes: int¶
Return the
$FILE_NAME
fileFileAttributes
.
- property flags: int¶
Return the
$FILE_NAME
flags, which can be eitherFILE_NAME_NTFS
orFILE_NAME_DOS
.
- property file_name: str¶
Return the file name string stored in this
$FILE_NAME
attribute.
- __slots__ = ('attr',)¶
- __repr__() str ¶
Return repr(self).
- full_path() str ¶
Use the parent directory reference to try to generate a full path from this file name.
- class dissect.ntfs.attr.ReparsePoint(fh: BinaryIO, record: dissect.ntfs.mft.MftRecord | None = None)¶
Bases:
AttributeRecord
Specific
AttributeRecord
parser for$REPARSE_POINT
.- property tag: dissect.ntfs.c_ntfs.IO_REPARSE_TAG¶
- property substitute_name: str | None¶
- property print_name: str | None¶
- property absolute: bool¶
- property relative: bool¶
- __slots__ = ('attr', 'tag_header', 'buffer')¶
- __repr__() str ¶
Return repr(self).
- dissect.ntfs.attr.ATTRIBUTE_CLASS_MAP¶