dissect.ntfs.index#
Module Contents#
Classes#
Generic enumeration. |
|
Open an index with he given name on the given MFT record. |
|
Represents the $INDEX_ROOT. |
|
Represent an index buffer in $INDEX_ALLOCATION. |
|
Parse and interact with index entries. |
- class dissect.ntfs.index.Match#
Bases:
enum.EnumGeneric enumeration.
Derive from this class to define new enumerations.
- Less#
- Equal#
- Greater#
- class dissect.ntfs.index.Index(record: dissect.ntfs.mft.MftRecord, name: str)#
Open an index with he given name on the given MFT record.
- Parameters:
name – The index to open.
- Raises:
FileNotFoundError – If no index with that name can be found.
- __iter__() Iterator[IndexEntry]#
- index_buffer(vcn: int) IndexBuffer#
Return the IndexBuffer at the specified cluster number.
- Parameters:
vcn – The virtual cluster number within the index allocation to read.
- Raises:
FileNotFoundError – If this index has no index allocation.
- search(value: Any, exact: bool = True, cmp: Optional[Callable[[IndexEntry, Any], Match]] = None) IndexEntry#
Perform a binary search on this index.
Returns the matching node if performing an exact search. Otherwise return the first match that is greater than the search value.
- Parameters:
value – The key to search.
exact – Result must be an exact match.
cmp – Optional custom comparator function.
- Raises:
NotImplementedError – If there is no collation (comparator) function for the collation rule of this index.
KeyError – If an exact match was requested but not found.
- entries() Iterator[IndexEntry]#
Yield all IndexEntry’s in this Index.
- class dissect.ntfs.index.IndexRoot(index: Index, fh: BinaryIO)#
Represents the $INDEX_ROOT.
- Parameters:
index – The Index class instance this IndexRoot belongs to.
fh – The file-like object to parse an index root on.
- property attribute_type: dissect.ntfs.c_ntfs.ATTRIBUTE_TYPE_CODE#
Return the indexed attribute type.
- property collation_rule: dissect.ntfs.c_ntfs.COLLATION#
Return the collation rule.
- property bytes_per_index_buffer: int#
Return the size of an index buffer in the index allocation in bytes.
- property clusters_per_index_buffer: int#
Return the size of an index buffer in the index allocation in clusters.
- entries() Iterator[IndexEntry]#
Yield all IndexEntry’s in this IndexRoot.
- class dissect.ntfs.index.IndexBuffer(index: Index, fh: BinaryIO, offset: int, size: int)#
Represent an index buffer in $INDEX_ALLOCATION.
- Parameters:
index – The Index class instance this IndexRoot belongs to.
fh – The file-like object of $INDEX_ALLOCATION.
offset – The offset in bytes to the index buffer on the file-like object we want to read.
size – The size of the index buffer in bytes.
- Raises:
EOFError – If there’s not enough data available to read an index buffer.
BrokenIndexError – If the index buffer doesn’t start with the expected magic value.
- entries() Iterator[IndexEntry]#
Yield all IndexEntry’s in this IndexBuffer.
- class dissect.ntfs.index.IndexEntry(index: Index, fh: BinaryIO, offset: int)#
Parse and interact with index entries.
- Parameters:
index – The Index class instance this IndexEntry belongs to.
fh – The file-like object to parse an index entry on.
offset – The offset in the file-like object to parse an index entry at.
- property is_end: bool#
Return whether this entry marks the end.
- property is_node: bool#
Return whether this entry is a node.
- property node_vcn: int#
Return the node VCN if this entry is a node.
- property length: int#
Return the length of this index entry.
- property key_length: int#
Return the length of this index entry.
- dereference() dissect.ntfs.mft.MftRecord#
Dereference this IndexEntry to the MFT record it points to.
Note that the file reference is a union with the data part so only access this if you know the entry has a file reference and not a data part.
- Raises:
MftNotAvailableError – If no MFT is available.
- data() bytes#
Return the data part of this entry.
Note that the data part is a union with the file reference, so only access this if you know the entry has data and not a file reference.
- attribute() Optional[dissect.ntfs.attr.AttributeRecord]#
Return the AttributeRecord of the attribute contained in this entry.