dissect.ntfs.ntfs

Module Contents

Classes

NTFS	Implementation for Microsoft NTFS.

class dissect.ntfs.ntfs.NTFS(fh: BinaryIO | None = None, boot: BinaryIO | None = None, mft: BinaryIO | None = None, usnjrnl: BinaryIO | None = None, sds: BinaryIO | None = None)

Implementation for Microsoft NTFS.

This implementation supports parsing NTFS from either a full NTFS volume or from separate files. If you have a file-like object of an NTFS volume, simply pass it as the fh argument. If you have separate file-like objects for things like $BOOT or $MFT, pass those as the boot and mft arguments. The separate arguments take precedence over parsing from the volume file-like object.

Parameters:

• fh – A file-like object for the volume to use for parsing NTFS. This is where “data on disk” is read from.

• boot – A file-like object for the $BOOT file.

• mft – A file-like object for the $MFT file.

• usnjrnl – A file-like object for the $Extend/$Usnjrnl:$J file.

• sds – A file-like object for the $Secure:$SDS file.

serial() → int | None

volume_name() → str | None