dissect.ntfs.attr

Module Contents

Classes

Attribute	Parse and interact with MFT attributes.
AttributeHeader	Parse attribute headers.
AttributeRecord	Parse attribute records.
AttributeList	Specific AttributeRecord parser for $ATTRIBUTE_LIST.
StandardInformation	Specific AttributeRecord parser for $STANDARD_INFORMATION.
FileName	Specific AttributeRecord parser for $FILE_NAME.
ReparsePoint	Specific AttributeRecord parser for $REPARSE_POINT.

Attributes

ATTRIBUTE_CLASS_MAP

class dissect.ntfs.attr.Attribute(header: AttributeHeader, record: dissect.ntfs.mft.MftRecord | None = None)

Parse and interact with MFT attributes.

Wrapper for an AttributeHeader and AttributeRecord combination.

Parameters:

• record – The MFT record this attribute belongs to.

• header – The AttributeHeader for this Attribute.

property type: dissect.ntfs.c_ntfs.ATTRIBUTE_TYPE_CODE

Return the attribute type.

property resident: bool

Return whether this attribute is resident or not.

property name: str

Return the name of this attribute.

__slots__ = ('record', 'header', 'attribute')

__getattr__(attr: str) → Any

__repr__() → str

Return repr(self).

classmethod from_fh(fh: BinaryIO, record: dissect.ntfs.mft.MftRecord | None = None) → Attribute

Parse an attribute from a file-like object.

Parameters:

• fh – The file-like object to parse an attribute from.

• record – The MFT record this attribute belongs to.

classmethod from_bytes(data: bytes, record: dissect.ntfs.mft.MftRecord | None = None) → Attribute

Parse an attribute from bytes.

Parameters:

• data – The bytes to parse.

• record – The MFT record this attribute belongs to.

dataruns() → list[tuple[int, int]]

Return the dataruns of this attribute, if non-resident.

Raises:

TypeError – If attribute is resident.

open() → BinaryIO

Open a file-like object for this attribute’s data.

Raises:

VolumeNotAvailableError – If no volume is available.

data() → bytes

Read and return all the data of this attribute.

Raises:

VolumeNotAvailableError – If no volume is available.

class dissect.ntfs.attr.AttributeHeader(fh: BinaryIO, offset: int, record: dissect.ntfs.mft.MftRecord | None = None)

Parse attribute headers.

Parameters:

• record – The MFT record this attribute belongs to.

• fh – The file-like object to parse an attribute header from.

• offset – The offset in the file-like object to parse an attribute header from.

property type: dissect.ntfs.c_ntfs.ATTRIBUTE_TYPE_CODE

Return the attribute type.

property resident: bool

Return whether this attribute is resident or not.

property record_length: int

Return the record length of this attribute.

property name: str

Return the name of this attribute.

property flags: int

Return the attribute flags.

property size: int

Return the data size of this attribute.

property allocated_size: int | None

Return the allocated size if non-resident, else None.

property lowest_vcn: int | None

Return the lowest VCN if non-resident, else None.

property highest_vcn: int | None

Return the highest VCN if non-resident, else None.

property compression_unit: int | None

Return the compression unit if non-resident, else None.

__slots__ = ('record', 'fh', 'offset', 'header')

__repr__() → str

Return repr(self).

classmethod from_bytes(data: bytes, record: dissect.ntfs.mft.MftRecord | None = None) → AttributeHeader

Parse an attribute header from bytes.

Parameters:

• data – The bytes to parse.

• record – The MFT record this attribute belongs to.

dataruns() → list[tuple[int, int]]

Return the dataruns of this attribute, if non-resident.

Raises:

TypeError – If attribute is resident.

open() → BinaryIO

Open a file-like object for this attribute’s data.

Raises:

VolumeNotAvailableError – If no volume is available.

data() → bytes

Read and return all the data of this attribute.

Raises:

VolumeNotAvailableError – If no volume is available.

class dissect.ntfs.attr.AttributeRecord(fh: BinaryIO, record: dissect.ntfs.mft.MftRecord | None = None)

Parse attribute records.

Parameters:

• record – The MFT record this attribute belongs to.

• fh – The file-like object to parse an attribute record from.

__slots__ = ('record',)

classmethod from_fh(fh: BinaryIO, attr_type: dissect.ntfs.c_ntfs.ATTRIBUTE_TYPE_CODE, record: dissect.ntfs.mft.MftRecord | None = None) → AttributeRecord

Parse an attribute from a file-like object.

Selects a more specific AttributeRecord class if one is available for the given attribute type.

Parameters:

• fh – The file-like object to parse an attribute from.

• attr_type – The attribute type to parse.

• record – The MFT record this attribute belongs to.

class dissect.ntfs.attr.AttributeList(fh: BinaryIO, record: dissect.ntfs.mft.MftRecord | None = None)

Bases: AttributeRecord

Specific AttributeRecord parser for $ATTRIBUTE_LIST.

__slots__ = ('entries',)

__repr__() → str

Return repr(self).

attributes() → Iterator[Attribute]

Iterate all entries within this $ATTRIBUTE_LIST and yield all embedded attributes.

class dissect.ntfs.attr.StandardInformation(fh: BinaryIO, record: dissect.ntfs.mft.MftRecord | None = None)

Bases: AttributeRecord

Specific AttributeRecord parser for $STANDARD_INFORMATION.

property creation_time: datetime.datetime

Return the $STANDARD_INFORMATION CreationTime.

property creation_time_ns: int

Return the $STANDARD_INFORMATION CreationTime in nanoseconds.

property last_modification_time: datetime.datetime

Return the $STANDARD_INFORMATION LastModificationTime.

property last_modification_time_ns: int

Return the $STANDARD_INFORMATION LastModificationTime in nanoseconds.

property last_change_time: datetime.datetime

Return the $STANDARD_INFORMATION LastChangeTime.

property last_change_time_ns: int

Return the $STANDARD_INFORMATION LastChangeTime in nanoseconds.

property last_access_time: datetime.datetime

Return the $STANDARD_INFORMATION LastAccessTime.

property last_access_time_ns: int

Return the $STANDARD_INFORMATION LastAccessTime in nanoseconds.

property file_attributes: int

Return the $STANDARD_INFORMATION FileAttributes.

property owner_id: int

Return the $STANDARD_INFORMATION OwnerId.

property security_id: int

Return the $STANDARD_INFORMATION SecurityId.

__slots__ = ('attr',)

__repr__() → str

Return repr(self).

class dissect.ntfs.attr.FileName(fh: BinaryIO, record: dissect.ntfs.mft.MftRecord | None = None)

Bases: AttributeRecord

Specific AttributeRecord parser for $FILE_NAME.

property creation_time: datetime.datetime

Return the $FILE_NAME``file ``CreationTime.

property creation_time_ns: int

Return the $FILE_NAME file CreationTime in nanoseconds.

property last_modification_time: datetime.datetime

Return the $FILE_NAME file LastModificationTime.

property last_modification_time_ns: int

Return the $FILE_NAME file LastModificationTime in nanoseconds.

property last_change_time: datetime.datetime

Return the $FILE_NAME file LastChangeTime.

property last_change_time_ns: int

Return the $FILE_NAME file LastChangeTime in nanoseconds.

property last_access_time: datetime.datetime

Return the $FILE_NAME file LastAccessTime.

property last_access_time_ns: int

Return the $FILE_NAME file LastAccessTime in nanoseconds.

property file_size: int

Return the $FILE_NAME file FileSize.

property file_attributes: int

Return the $FILE_NAME file FileAttributes.

property flags: int

Return the $FILE_NAME flags, which can be either FILE_NAME_NTFS or FILE_NAME_DOS.

property file_name: str

Return the file name string stored in this $FILE_NAME attribute.

__slots__ = ('attr',)

__repr__() → str

Return repr(self).

full_path() → str

Use the parent directory reference to try to generate a full path from this file name.

class dissect.ntfs.attr.ReparsePoint(fh: BinaryIO, record: dissect.ntfs.mft.MftRecord | None = None)

Bases: AttributeRecord

Specific AttributeRecord parser for $REPARSE_POINT.

property tag: dissect.ntfs.c_ntfs.IO_REPARSE_TAG

property substitute_name: str | None

property print_name: str | None

property absolute: bool

property relative: bool

__slots__ = ('attr', 'tag_header', 'buffer')

__repr__() → str

Return repr(self).

dissect.ntfs.attr.ATTRIBUTE_CLASS_MAP