dissect.ntfs.index#
Module Contents#
Classes#
Generic enumeration. |
|
Open an index with he given name on the given MFT record. |
|
Represents the |
|
Represent an index buffer in |
|
Parse and interact with index entries. |
- class dissect.ntfs.index.Match#
Bases:
enum.EnumGeneric enumeration.
Derive from this class to define new enumerations.
- Less#
- Equal#
- Greater#
- class dissect.ntfs.index.Index(record: dissect.ntfs.mft.MftRecord, name: str)#
Open an index with he given name on the given MFT record.
- Parameters:
name – The index to open.
- Raises:
FileNotFoundError – If no index with that name can be found.
- __iter__() Iterator[IndexEntry]#
- index_buffer(vcn: int) IndexBuffer#
Return the
IndexBufferat the specified cluster number.- Parameters:
vcn – The virtual cluster number within the index allocation to read.
- Raises:
FileNotFoundError – If this index has no index allocation.
- search(value: Any, exact: bool = True, cmp: Callable[[IndexEntry, Any], Match] | None = None) IndexEntry#
Perform a binary search on this index.
Returns the matching node if performing an exact search. Otherwise return the first match that is greater than the search value.
- Parameters:
value – The key to search.
exact – Result must be an exact match.
cmp – Optional custom comparator function.
- Raises:
NotImplementedError – If there is no collation (comparator) function for the collation rule of this index.
KeyError – If an exact match was requested but not found.
- entries() Iterator[IndexEntry]#
Yield all
IndexEntry’s in thisIndex.
- class dissect.ntfs.index.IndexRoot(index: Index, fh: BinaryIO)#
Represents the
$INDEX_ROOT.- Parameters:
index – The
Index`class instance thisIndexRootbelongs to.fh – The file-like object to parse an index root on.
- property attribute_type: dissect.ntfs.c_ntfs.ATTRIBUTE_TYPE_CODE#
Return the indexed attribute type.
- property collation_rule: dissect.ntfs.c_ntfs.COLLATION#
Return the collation rule.
- property bytes_per_index_buffer: int#
Return the size of an index buffer in the index allocation in bytes.
- property clusters_per_index_buffer: int#
Return the size of an index buffer in the index allocation in clusters.
- entries() Iterator[IndexEntry]#
Yield all
IndexEntry’s in thisIndexRoot.
- class dissect.ntfs.index.IndexBuffer(index: Index, fh: BinaryIO, offset: int, size: int)#
Represent an index buffer in
$INDEX_ALLOCATION.- Parameters:
- Raises:
EOFError – If there’s not enough data available to read an index buffer.
BrokenIndexError – If the index buffer doesn’t start with the expected magic value.
- entries() Iterator[IndexEntry]#
Yield all
IndexEntry’s in thisIndexBuffer.
- class dissect.ntfs.index.IndexEntry(index: Index, fh: BinaryIO, offset: int)#
Parse and interact with index entries.
- Parameters:
index – The
Indexclass instance thisIndexEntrybelongs to.fh – The file-like object to parse an index entry on.
offset – The offset in the file-like object to parse an index entry at.
- property is_end: bool#
Return whether this entry marks the end.
- property is_node: bool#
Return whether this entry is a node.
- property node_vcn: int#
Return the node VCN if this entry is a node.
- property length: int#
Return the length of this index entry.
- property key_length: int#
Return the length of this index entry.
- dereference() dissect.ntfs.mft.MftRecord#
Dereference this
IndexEntryto the MFT record it points to.Note that the file reference is a union with the data part so only access this if you know the entry has a file reference and not a data part.
- Raises:
MftNotAvailableError – If no MFT is available.
- data() bytes#
Return the data part of this entry.
Note that the data part is a union with the file reference, so only access this if you know the entry has data and not a file reference.
- attribute() dissect.ntfs.attr.AttributeRecord | None#
Return the
dissect.ntfs.attr.AttributeRecordof the attribute contained in this entry.