dissect.ntfs.ntfs
¶
Module Contents¶
Classes¶
Implementation for Microsoft NTFS. |
- class dissect.ntfs.ntfs.NTFS(fh: BinaryIO | None = None, boot: BinaryIO | None = None, mft: BinaryIO | None = None, usnjrnl: BinaryIO | None = None, sds: BinaryIO | None = None)¶
Implementation for Microsoft NTFS.
This implementation supports parsing NTFS from either a full NTFS volume or from separate files. If you have a file-like object of an NTFS volume, simply pass it as the fh argument. If you have separate file-like objects for things like
$BOOT
or$MFT
, pass those as the boot and mft arguments. The separate arguments take precedence over parsing from the volume file-like object.- Parameters:
fh – A file-like object for the volume to use for parsing NTFS. This is where “data on disk” is read from.
boot – A file-like object for the
$BOOT
file.mft – A file-like object for the
$MFT
file.usnjrnl – A file-like object for the
$Extend/$Usnjrnl:$J
file.sds – A file-like object for the
$Secure:$SDS
file.
- serial() int | None ¶
- volume_name() str | None ¶