dissect.ntfs.attr#
Module Contents#
Classes#
Parse and interact with MFT attributes. |
|
Parse attribute headers. |
|
Parse attribute records. |
|
Specific AttributeRecord parser for $ATTRIBUTE_LIST. |
|
Specific AttributeRecord parser for $STANDARD_INFORMATION. |
|
Specific AttributeRecord parser for $FILE_NAME. |
|
Specific AttributeRecord parser for $REPARSE_POINT. |
Attributes#
- class dissect.ntfs.attr.Attribute(header: AttributeHeader, record: Optional[dissect.ntfs.mft.MftRecord] = None)#
Parse and interact with MFT attributes.
Wrapper for an AttributeHeader and AttributeRecord combination.
- Parameters:
record – The MFT record this attribute belongs to.
header – The AttributeHeader for this Attribute.
- property type: dissect.ntfs.c_ntfs.ATTRIBUTE_TYPE_CODE#
Return the attribute type.
- property resident: bool#
Return whether this attribute is resident or not.
- property name: str#
Return the name of this attribute.
- __slots__ = ('record', 'header', 'attribute')#
- __getattr__(attr: str) Any#
- __repr__() str#
Return repr(self).
- classmethod from_fh(fh: BinaryIO, record: Optional[dissect.ntfs.mft.MftRecord] = None) Attribute#
Parse an attribute from a file-like object.
- Parameters:
fh – The file-like object to parse an attribute from.
record – The MFT record this attribute belongs to.
- classmethod from_bytes(data: bytes, record: Optional[dissect.ntfs.mft.MftRecord] = None) Attribute#
Parse an attribute from bytes.
- Parameters:
data – The bytes to parse.
record – The MFT record this attribute belongs to.
- dataruns() List[Tuple[int, int]]#
Return the dataruns of this attribute, if non-resident.
- Raises:
TypeError – If attribute is resident.
- open() BinaryIO#
Open a file-like object for this attribute’s data.
- Raises:
VolumeNotAvailableError – If no volume is available.
- data() bytes#
Read and return all the data of this attribute.
- Raises:
VolumeNotAvailableError – If no volume is available.
- class dissect.ntfs.attr.AttributeHeader(fh: BinaryIO, offset: int, record: Optional[dissect.ntfs.mft.MftRecord] = None)#
Parse attribute headers.
- Parameters:
record – The MFT record this attribute belongs to.
fh – The file-like object to parse an attribute header from.
offset – The offset in the file-like object to parse an attribute header from.
- property type: dissect.ntfs.c_ntfs.ATTRIBUTE_TYPE_CODE#
Return the attribute type.
- property resident: bool#
Return whether this attribute is resident or not.
- property record_length: int#
Return the record length of this attribute.
- property name: str#
Return the name of this attribute.
- property flags: int#
Return the attribute flags.
- property size: int#
Return the data size of this attribute.
- property allocated_size: Optional[int]#
Return the allocated size if non-resident, else None.
- property lowest_vcn: Optional[int]#
Return the lowest VCN if non-resident, else None.
- property highest_vcn: Optional[int]#
Return the highest VCN if non-resident, else None.
- property compression_unit: Optional[int]#
Return the compression unit if non-resident, else None.
- __slots__ = ('record', 'fh', 'offset', 'header')#
- __repr__() str#
Return repr(self).
- classmethod from_bytes(data: bytes, record: Optional[dissect.ntfs.mft.MftRecord] = None) AttributeHeader#
Parse an attribute header from bytes.
- Parameters:
data – The bytes to parse.
record – The MFT record this attribute belongs to.
- dataruns() List[Tuple[int, int]]#
Return the dataruns of this attribute, if non-resident.
- Raises:
TypeError – If attribute is resident.
- open() BinaryIO#
Open a file-like object for this attribute’s data.
- Raises:
VolumeNotAvailableError – If no volume is available.
- data() bytes#
Read and return all the data of this attribute.
- Raises:
VolumeNotAvailableError – If no volume is available.
- class dissect.ntfs.attr.AttributeRecord(fh: BinaryIO, record: Optional[dissect.ntfs.mft.MftRecord] = None)#
Parse attribute records.
- Parameters:
record – The MFT record this attribute belongs to.
fh – The file-like object to parse an attribute record from.
- __slots__ = ('record',)#
- classmethod from_fh(fh: BinaryIO, attr_type: dissect.ntfs.c_ntfs.ATTRIBUTE_TYPE_CODE, record: Optional[dissect.ntfs.mft.MftRecord] = None) AttributeRecord#
Parse an attribute from a file-like object.
Selects a more specific AttributeRecord class if one is available for the given attribute type.
- Parameters:
fh – The file-like object to parse an attribute from.
attr_type – The attribute type to parse.
record – The MFT record this attribute belongs to.
- class dissect.ntfs.attr.AttributeList(fh: BinaryIO, record: Optional[dissect.ntfs.mft.MftRecord] = None)#
Bases:
AttributeRecordSpecific AttributeRecord parser for $ATTRIBUTE_LIST.
- __slots__ = ('entries',)#
- __repr__() str#
Return repr(self).
- class dissect.ntfs.attr.StandardInformation(fh: BinaryIO, record: Optional[dissect.ntfs.mft.MftRecord] = None)#
Bases:
AttributeRecordSpecific AttributeRecord parser for $STANDARD_INFORMATION.
- property creation_time: datetime.datetime#
Return the $STANDARD_INFORMATION CreationTime.
- property creation_time_ns: int#
Return the $STANDARD_INFORMATION CreationTime in nanoseconds.
- property last_modification_time: datetime.datetime#
Return the $STANDARD_INFORMATION LastModificationTime.
- property last_modification_time_ns: int#
Return the $STANDARD_INFORMATION LastModificationTime in nanoseconds.
- property last_change_time: datetime.datetime#
Return the $STANDARD_INFORMATION LastChangeTime.
- property last_change_time_ns: int#
Return the $STANDARD_INFORMATION LastChangeTime in nanoseconds.
- property last_access_time: datetime.datetime#
Return the $STANDARD_INFORMATION LastAccessTime.
- property last_access_time_ns: int#
Return the $STANDARD_INFORMATION LastAccessTime in nanoseconds.
- property file_attributes: int#
Return the $STANDARD_INFORMATION FileAttributes.
- property owner_id: int#
Return the $STANDARD_INFORMATION OwnerId.
- property security_id: int#
Return the $STANDARD_INFORMATION SecurityId.
- __slots__ = ('attr',)#
- __repr__() str#
Return repr(self).
- class dissect.ntfs.attr.FileName(fh: BinaryIO, record: Optional[dissect.ntfs.mft.MftRecord] = None)#
Bases:
AttributeRecordSpecific AttributeRecord parser for $FILE_NAME.
- property creation_time: datetime.datetime#
Return the $FILE_NAME file CreationTime.
- property creation_time_ns: int#
Return the $FILE_NAME file CreationTime in nanoseconds.
- property last_modification_time: datetime.datetime#
Return the $FILE_NAME file LastModificationTime.
- property last_modification_time_ns: int#
Return the $FILE_NAME file LastModificationTime in nanoseconds.
- property last_change_time: datetime.datetime#
Return the $FILE_NAME file LastChangeTime.
- property last_change_time_ns: int#
Return the $FILE_NAME file LastChangeTime in nanoseconds.
- property last_access_time: datetime.datetime#
Return the $FILE_NAME file LastAccessTime.
- property last_access_time_ns: int#
Return the $FILE_NAME file LastAccessTime in nanoseconds.
- property file_size: int#
Return the $FILE_NAME file FileSize.
- property file_attributes: int#
Return the $FILE_NAME file FileAttributes.
- property flags: int#
Return the $FILE_NAME flags, which can be either FILE_NAME_NTFS or FILE_NAME_DOS.
- property file_name: str#
Return the file name string stored in this $FILE_NAME attribute.
- __slots__ = ('attr',)#
- __repr__() str#
Return repr(self).
- full_path() str#
Use the parent directory reference to try to generate a full path from this file name.
- class dissect.ntfs.attr.ReparsePoint(fh: BinaryIO, record: Optional[dissect.ntfs.mft.MftRecord] = None)#
Bases:
AttributeRecordSpecific AttributeRecord parser for $REPARSE_POINT.
- property tag: dissect.ntfs.c_ntfs.IO_REPARSE_TAG#
- property substitute_name: str#
- property print_name: str#
- property absolute: bool#
- property relative: bool#
- __slots__ = ('attr', 'tag_header', 'buffer')#
- __repr__() str#
Return repr(self).
- dissect.ntfs.attr.ATTRIBUTE_CLASS_MAP#