dissect.ntfs.mft
¶
Module Contents¶
Classes¶
- class dissect.ntfs.mft.Mft(fh: BinaryIO, ntfs: dissect.ntfs.ntfs.NTFS | None = None)¶
Interact with the
$MFT
(Master File Table).- Parameters:
fh – A file-like object of the $MFT file.
ntfs – An optional NTFS class instance.
- get(ref: int | str | dissect.cstruct.Instance, root: MftRecord | None = None) MftRecord ¶
Retrieve an MFT record using a variety of methods.
- Supported references are:
_MFT_SEGMENT_REFERENCE
cstruct instanceinteger segment number
string file path
- Parameters:
ref – Reference to retrieve the record by.
root – Optional root record to start resolving from. Useful for relative path lookups.
- Raises:
TypeError – If the reference is of an unsupported type.
- class dissect.ntfs.mft.MftRecord¶
MFT record parsing and interaction.
Use the
from_fh()
orfrom_bytes()
class methods to instantiate.- __hash__¶
- __repr__() str ¶
Return repr(self).
- __eq__(other: Any) bool ¶
Return self==value.
- classmethod from_fh(fh: BinaryIO, offset: int, ntfs: dissect.ntfs.ntfs.NTFS | None = None) MftRecord ¶
Parse an MFT record from a file-like object.
- Parameters:
fh – The file-like object to parse an MFT record from.
offset – The offset in the file-like object to parse the MFT record from.
ntfs – An optional NTFS class instance.
- classmethod from_bytes(data: bytes, ntfs: dissect.ntfs.ntfs.NTFS | None = None) MftRecord ¶
Parse an MFT record from bytes.
- Parameters:
data – The bytes object to parse an MFT record from.
ntfs – An optional NTFS class instance.
- Raises:
BrokenMftError – If the MFT record signature is invalid.
- get(path: str) MftRecord ¶
Retrieve a
MftRecord
relative to this one.- Parameters:
path – The path to lookup.
- Raises:
MftNotAvailableError – If no MFT is available.
- attributes() dissect.ntfs.util.AttributeMap ¶
Parse and return the attributes in this MFT record.
$ATTRIBUTE_LIST
’s are only parsed if there’s an MFT available on the NTFS object.- Raises:
BrokenMftError – If an error occurred parsing the attributes.
- resident() bool ¶
Return whether this record’s default
$DATA
attribute is resident.
- filename() str | None ¶
Return the first file name, or
None
if this record has no file names.
- filenames(ignore_dos: bool = False) list[str] ¶
Return all file names of this record.
- Parameters:
ignore_dos – Ignore DOS file name entries.
- full_path(ignore_dos: bool = False) str | None ¶
Return the first full path, or
None
if this record has no file names.- Parameters:
ignore_dos – Ignore DOS file name entries.
- full_paths(ignore_dos: bool = False) list[str] ¶
Return all full paths of this record.
- Parameters:
ignore_dos – Ignore DOS file name entries.
- is_dir() bool ¶
Return whether this record is a directory.
- is_file() bool ¶
Return whether this record is a file.
- is_reparse_point() bool ¶
Return whether this record is a reparse point.
- is_symlink() bool ¶
Return whether this record is a symlink reparse point.
- is_mount_point() bool ¶
Return whether this record is a mount point reparse point.
- reparse_point_name() str ¶
Return the (printable) name of this reparse point.
- reparse_point_substitute_name() str ¶
Return the substitute name of this reparse point.
- reparse_point_record() MftRecord ¶
Resolve a reparse point and return the target record.
Note: absolute links (such as directory junctions) will always fail in the context of a single filesystem. Absolute links include the drive letter, of which we have no knowledge here.
- open(name: str = '', attr_type: dissect.ntfs.c_ntfs.ATTRIBUTE_TYPE_CODE = ATTRIBUTE_TYPE_CODE.DATA, allocated: bool = False) BinaryIO ¶
Open a stream on the given stream name and type.
- Parameters:
name – The stream name, an empty string for the “default” data stream.
attr_type – The attribute type to open a stream on.
allocated – Whether to use the real stream size or the allocated stream size (i.e. include slack space).
- Raises:
FileNotFoundError – If there are no attributes with the given name and type.
- size(name: str = '', attr_type: dissect.ntfs.c_ntfs.ATTRIBUTE_TYPE_CODE = ATTRIBUTE_TYPE_CODE.DATA, allocated: bool = False) int ¶
Return the stream size of the given stream name and type.
- Parameters:
name – The stream name, an empty string for the “default” data stream.
attr_type – The attribute type to find the stream size of.
allocated – Whether to use the real stream size or the allocated stream size (i.e. include slack space).
- Raises:
FileNotFoundError – If there are no attributes with the given name and type.
- dataruns(name: str = '', attr_type: dissect.ntfs.c_ntfs.ATTRIBUTE_TYPE_CODE = ATTRIBUTE_TYPE_CODE.DATA) list[tuple[int, int]] ¶
Return the dataruns of the given stream name and type.
- Parameters:
name – The stream name, an empty string for the “default” data stream.
attr_type – The attribute type to get the dataruns of.
- Raises:
FileNotFoundError – If there are no attributes with the given name and type.
- has_stream(name: str = '', attr_type: dissect.ntfs.c_ntfs.ATTRIBUTE_TYPE_CODE = ATTRIBUTE_TYPE_CODE.DATA) bool ¶
Return whether or not this record has attributes with the given name and type.
- index(name: str) dissect.ntfs.index.Index ¶
Open an index on this record.
- Parameters:
name – The index name to open. For example,
"$I30"
.
- iterdir(dereference: bool = False, ignore_dos: bool = False) Iterator[dissect.ntfs.index.IndexEntry | MftRecord] ¶
Yield directory entries of this record.
- Parameters:
dereference – Determines whether to resolve the
IndexEntry
’s toMftRecord
’s. This impacts performance.ignore_dos – Ignore DOS file name entries.
- Raises:
NotADirectoryError – If this record is not a directory.
- listdir(dereference: bool = False, ignore_dos: bool = False) dict[str, dissect.ntfs.index.IndexEntry | MftRecord] ¶
Return a dictionary of the directory entries of this record.
- Parameters:
dereference – Determines whether to resolve the
IndexEntry
’s toMftRecord
’s. This impacts performance.ignore_dos – Ignore DOS file name entries.
- Raises:
NotADirectoryError – If this record is not a directory.