:py:mod:`dissect.target.plugins.filesystem.ntfs.mft` ==================================================== .. py:module:: dissect.target.plugins.filesystem.ntfs.mft Module Contents --------------- Classes ~~~~~~~ .. autoapisummary:: dissect.target.plugins.filesystem.ntfs.mft.MftPlugin Functions ~~~~~~~~~ .. autoapisummary:: :nosignatures: dissect.target.plugins.filesystem.ntfs.mft.iter_records dissect.target.plugins.filesystem.ntfs.mft.compact_formatter dissect.target.plugins.filesystem.ntfs.mft.default_formatter dissect.target.plugins.filesystem.ntfs.mft.macb_aggregator dissect.target.plugins.filesystem.ntfs.mft.format_timeline_info dissect.target.plugins.filesystem.ntfs.mft.format_body_info dissect.target.plugins.filesystem.ntfs.mft.format_none_value Attributes ~~~~~~~~~~ .. autoapisummary:: dissect.target.plugins.filesystem.ntfs.mft.FilesystemStdCompactRecord dissect.target.plugins.filesystem.ntfs.mft.FilesystemStdRecord dissect.target.plugins.filesystem.ntfs.mft.FilesystemFilenameCompactRecord dissect.target.plugins.filesystem.ntfs.mft.FilesystemFilenameRecord dissect.target.plugins.filesystem.ntfs.mft.FilesystemMACBRecord dissect.target.plugins.filesystem.ntfs.mft.RECORD_TYPES dissect.target.plugins.filesystem.ntfs.mft.COMPACT_RECORD_TYPES dissect.target.plugins.filesystem.ntfs.mft.FORMAT_INFO .. py:data:: FilesystemStdCompactRecord .. py:data:: FilesystemStdRecord .. py:data:: FilesystemFilenameCompactRecord .. py:data:: FilesystemFilenameRecord .. py:data:: FilesystemMACBRecord .. py:data:: RECORD_TYPES .. py:data:: COMPACT_RECORD_TYPES .. py:data:: FORMAT_INFO .. py:class:: MftPlugin(target: dissect.target.target.Target) Bases: :py:obj:`dissect.target.plugin.Plugin` NTFS MFT plugin. .. py:attribute:: __namespace__ :value: 'mft' Defines the plugin namespace. .. py:attribute:: ntfs_filesystems .. py:method:: check_compatible() -> None Perform a compatibility check with the target. This function should return ``None`` if the plugin is compatible with the current target (``self.target``). For example, check if a certain file exists. Otherwise it should raise an :class:`UnsupportedPluginError`. :raises UnsupportedPluginError: If the plugin could not be loaded. .. py:method:: records(compact: bool = False, fs: int | None = None, start: int = 0, end: int = -1, macb: bool = False) -> collections.abc.Iterator[FilesystemStdRecord | FilesystemFilenameRecord | FilesystemStdCompactRecord | FilesystemFilenameCompactRecord] Return the MFT records of all NTFS filesystems. The Master File Table (MFT) contains primarily metadata about every file and folder on a NFTS filesystem. If the filesystem is part of a virtual NTFS filesystem (a ``VirtualFilesystem`` with the MFT properties added to it through a "fake" ``NtfsFilesystem``), the paths returned in the MFT records are based on the mount point of the ``VirtualFilesystem``. This ensures that the proper original drive letter is used when available. When no drive letter can be determined, the path will show as e.g. ``\$fs$\fs0``. .. rubric:: References - https://docs.microsoft.com/en-us/windows/win32/fileio/master-file-table .. py:attribute:: __call__ Return the records of all exported methods. :raises PluginError: If the subclass is not a namespace plugin. .. py:method:: timeline(ignore_dos: bool = False) -> collections.abc.Iterator[str] Return the MFT records of all NTFS filesystems in a human readable format (unsorted). The Master File Table (MFT) contains metadata about every file and folder on a NFTS filesystem. If the filesystem is part of a virtual NTFS filesystem (a ``VirtualFilesystem`` with the MFT properties added to it through a "fake" ``NtfsFilesystem``), the paths returned in the MFT records are based on the mount point of the ``VirtualFilesystem``. This ensures that the proper original drive letter is used when available. When no drive letter can be determined, the path will show as e.g. ``\$fs$\fs0``. .. rubric:: References - https://docs.microsoft.com/en-us/windows/win32/fileio/master-file-table .. py:method:: body() -> collections.abc.Iterator[str] Return the MFT records of all NTFS filesystems in bodyfile format. The file mode is not accurate. This value was only added to indicate if a record is a file or directory. The Master File Table (MFT) contains metadata about every file and folder on a NFTS filesystem. If the filesystem is part of a virtual NTFS filesystem (a ``VirtualFilesystem`` with the MFT properties added to it through a "fake" ``NtfsFilesystem``), the paths returned in the MFT records are based on the mount point of the ``VirtualFilesystem``. This ensures that the proper original drive letter is used when available. When no drive letter can be determined, the path will show as e.g. ``\$fs$\fs0``. .. rubric:: References - https://docs.microsoft.com/en-us/windows/win32/fileio/master-file-table - https://wiki.sleuthkit.org/index.php?title=Body_file .. py:function:: iter_records(record: dissect.ntfs.MftRecord, segment: int, path: str, owner: str, size: int, resident: bool, inuse: bool, drive_letter: str, volume_uuid: str, record_formatter: collections.abc.Callable, target: dissect.target.target.Target) -> collections.abc.Iterator[flow.record.Record] .. py:function:: compact_formatter(attr: dissect.ntfs.attr.Attribute, record_type: dissect.target.plugins.filesystem.ntfs.utils.InformationType, **kwargs) -> collections.abc.Iterator[FilesystemStdCompactRecord | FilesystemFilenameCompactRecord] .. py:function:: default_formatter(attr: dissect.ntfs.attr.Attribute, record_type: dissect.target.plugins.filesystem.ntfs.utils.InformationType, **kwargs) -> collections.abc.Iterator[FilesystemStdRecord | FilesystemFilenameRecord] .. py:function:: macb_aggregator(records: collections.abc.Iterator[flow.record.Record]) -> collections.abc.Iterator[flow.record.Record] .. py:function:: format_timeline_info(segment: int, path: str, info: _Info, attr: dissect.ntfs.attr.FileName | dissect.ntfs.attr.StandardInformation, attr_type: dissect.target.plugins.filesystem.ntfs.utils.InformationType, idx: str = '') -> collections.abc.Iterator[str] .. py:function:: format_body_info(md5: str = '0', name: str = '0', inode: int = 0, mode_as_string: str = '0', uid: int = 0, gid: int = 0, size: int = 0, atime: int = 0, mtime: int = 0, ctime: int = 0, crtime: int = 0) -> str .. py:function:: format_none_value(value: Any) -> str | Any Format the value if it is ``None``.