`dissect.ntfs.mft`#

Module Contents#

Classes#

`Mft`	Interact with the $MFT (Master File Table).
`MftRecord`	MFT record parsing and interaction.

class dissect.ntfs.mft.Mft(fh: BinaryIO, ntfs: Optional[dissect.ntfs.ntfs.NTFS] = None)#

Interact with the $MFT (Master File Table).

Parameters:

fh – A file-like object of the $MFT file.
ntfs – An optional NTFS class instance.

__call__(ref, *args, **kwargs) → MftRecord#

root() → MftRecord#: Return the root directory MFT record.

get(ref: Union[int, str, dissect.cstruct.Instance], root: Optional[MftRecord] = None) → MftRecord#

Retrieve an MFT record using a variety of methods.

Supported references are: - _MFT_SEGMENT_REFERENCE cstruct instance - integer segment number - string file path

Parameters:

ref – Reference to retrieve the record by.
root – Optional root record to start resolving from. Useful for relative path lookups.

Raises:

TypeError – If the reference is of an unsupported type.

segments() → Iterator[MftRecord]#: Yield all valid MFT records, regardless if they’re allocated or not.

class dissect.ntfs.mft.MftRecord#

MFT record parsing and interaction.

Use the from_fh or from_bytes class methods to instantiate.

__hash__#

__repr__() → str#: Return repr(self).

__eq__(other: Any) → bool#: Return self==value.

classmethod from_fh(fh: BinaryIO, offset: int, ntfs: Optional[dissect.ntfs.ntfs.NTFS] = None) → MftRecord#

Parse an MFT record from a file-like object.

Parameters:

fh – The file-like object to parse an MFT record from.
offset – The offset in the file-like object to parse the MFT record from.
ntfs – An optional NTFS class instance.

classmethod from_bytes(data: bytes, ntfs: Optional[dissect.ntfs.ntfs.NTFS] = None) → MftRecord#

Parse an MFT record from bytes.

Parameters:

data – The bytes object to parse an MFT record from.
ntfs – An optional NTFS class instance.

Raises:

BrokenMftError – If the MFT record signature is invalid.

get(path: str) → MftRecord#

Retrieve a MftRecord relative to this one.

Parameters:: path – The path to lookup.
Raises:: MftNotAvailableError – If no MFT is available.

attributes() → dissect.ntfs.util.AttributeMap#

Parse and return the attributes in this MFT record.

$ATTRIBUTE_LIST’s are only parsed if there’s an MFT available on the NTFS object.

Raises:: BrokenMftError – If an error occurred parsing the attributes.

resident() → bool#: Return whether this record’s default $DATA attribute is resident.

filename() → Optional[str]#: Return the first file name, or None if this record has no file names.

filenames(ignore_dos: bool = False) → List[str]#

Return all file names of this record.

Parameters:: ignore_dos – Ignore DOS file name entries.

full_path(ignore_dos: bool = False)#

Return the first full path, or None if this record has no file names.

Parameters:: ignore_dos – Ignore DOS file name entries.

full_paths(ignore_dos: bool = False)#

Return all full paths of this record.

Parameters:: ignore_dos – Ignore DOS file name entries.

is_dir() → bool#: Return whether this record is a directory.

is_file() → bool#: Return whether this record is a file.

open(name: str = '', attr_type: dissect.ntfs.c_ntfs.ATTRIBUTE_TYPE_CODE = ATTRIBUTE_TYPE_CODE.DATA, allocated: bool = False) → BinaryIO#

Open a stream on the given stream name and type.

Parameters:

name – The stream name, an empty string for the “default” data stream.
attr_type – The attribute type to open a stream on.
allocated – Whether to use the real stream size or the allocated stream size (i.e. include slack space).

Raises:

FileNotFoundError – If there are no attributes with the given name and type.

size(name: str = '', attr_type: dissect.ntfs.c_ntfs.ATTRIBUTE_TYPE_CODE = ATTRIBUTE_TYPE_CODE.DATA, allocated: bool = False) → int#

Return the stream size of the given stream name and type.

Parameters:

name – The stream name, an empty string for the “default” data stream.
attr_type – The attribute type to find the stream size of.
allocated – Whether to use the real stream size or the allocated stream size (i.e. include slack space).

Raises:

FileNotFoundError – If there are no attributes with the given name and type.

dataruns(name: str = '', attr_type: dissect.ntfs.c_ntfs.ATTRIBUTE_TYPE_CODE = ATTRIBUTE_TYPE_CODE.DATA) → List[Tuple[int, int]]#

Return the dataruns of the given stream name and type.

Parameters:

name – The stream name, an empty string for the “default” data stream.
attr_type – The attribute type to get the dataruns of.

Raises:

FileNotFoundError – If there are no attributes with the given name and type.

has_stream(name: str = '', attr_type: dissect.ntfs.c_ntfs.ATTRIBUTE_TYPE_CODE = ATTRIBUTE_TYPE_CODE.DATA) → bool#: Return whether or not this record has attributes with the given name and type.

index(name: str) → dissect.ntfs.index.Index#

Open an index on this record.

Parameters:: name – The index name to open. For example, “$I30”.

iterdir(dereference: bool = False, ignore_dos: bool = False) → Iterator[Union[dissect.ntfs.index.IndexEntry, MftRecord]]#

Yield directory entries of this record.

Parameters:

dereference – Determines whether to resolve the IndexEntry’s to MftRecord’s. This impacts performance.
ignore_dos – Ignore DOS file name entries.

Raises:

NotADirectoryError – If this record is not a directory.

listdir(dereference: bool = False, ignore_dos: bool = False) → Dict[str, Union[dissect.ntfs.index.IndexEntry, MftRecord]]#

Return a dictionary of the directory entries of this record.

Parameters:

dereference – Determines whether to resolve the IndexEntry’s to MftRecord’s. This impacts performance.
ignore_dos – Ignore DOS file name entries.

Raises:

NotADirectoryError – If this record is not a directory.

dissect.ntfs.mft#

Module Contents#

Classes#

`dissect.ntfs.mft`#