`dissect.ntfs.ntfs`#

Module Contents#

Classes#

NTFS

Implementation for Microsoft NTFS.

class dissect.ntfs.ntfs.NTFS(fh: Optional[BinaryIO] = None, boot: Optional[BinaryIO] = None, mft: Optional[BinaryIO] = None, usnjrnl: Optional[BinaryIO] = None, sds: Optional[BinaryIO] = None)#

Implementation for Microsoft NTFS.

This implementation supports parsing NTFS from either a full NTFS volume or from separate files. If you have a file-like object of an NTFS volume, simply pass it as the fh argument. If you have separate file-like objects for things like $BOOT or $MFT, pass those as the boot and mft arguments. The separate arguments take precedence over parsing from the volume file-like object.

Parameters:

fh – A file-like object for the volume to use for parsing NTFS. This is where “data on disk” is read from.
boot – A file-like object for the $BOOT file.
mft – A file-like object for the $MFT file.
usnjrnl – A file-like object for the $Extend/$Usnjrnl:$J file.
sds – A file-like object for the $Secure:$SDS file.

serial() → Optional[int]#

volume_name() → Optional[str]#

dissect.ntfs.ntfs#

Module Contents#

Classes#

`dissect.ntfs.ntfs`#