dissect.ntfs.util#
Module Contents#
Classes#
Utility dictionary-like object for interacting with a collection of attributes. |
|
Utility list-like object for interacting with a list of attributes. |
Functions#
Parse and apply fixup data from |
|
Check if a volume is available for reading. |
|
Walk up parent file references to construct a full path. |
|
Convert Windows timestamps to nanosecond timestamps. |
- class dissect.ntfs.util.AttributeMap(dict=None, /, **kwargs)#
Bases:
collections.UserDictUtility dictionary-like object for interacting with a collection of attributes.
Allows convenient accessing of attributes added to this collection. For example: - Get attributes by name, e.g.
attributes.DATAto get all$DATAattributes. - Get attributes by type code enum or integer, e.g.attributes[0x80]orattributes[ATTRIBUTE_TYPE_CODE.DATA]. - Check attribute membership by enum or integer, e.g.0x80 in attributesorATTRIBUTE_TYPE_CODE.DATA in attributes. - Find all attributes with a given name and type, e.g.attributes.find("$I30", ATTRIBUTE_TYPE_CODE.INDEX_ROOT).Note that any data retrieval from an
AttributeMapwill always succeed and return anAttributeCollection, either empty or containing one or more attributes.- __getattr__(attr: str) AttributeCollection#
- __getitem__(item: dissect.ntfs.c_ntfs.ATTRIBUTE_TYPE_CODE | int) AttributeCollection#
- __contains__(key: dissect.ntfs.c_ntfs.ATTRIBUTE_TYPE_CODE | int) bool#
- add(attr: dissect.ntfs.attr.Attribute) None#
Add an attribute to the collection.
Note that this is the only intended way to modify the
AttributeMap!- Parameters:
attr – The attribute to add.
- find(name: str, attr_type: dissect.ntfs.c_ntfs.ATTRIBUTE_TYPE_CODE) AttributeCollection#
Find attributes by name and attribute type.
- Parameters:
name – The name of the attribute to find, usually
"".attr_type – The attribute type to find.
- class dissect.ntfs.util.AttributeCollection#
Bases:
listUtility list-like object for interacting with a list of attributes.
Allows convenient access to attribute properties for a list of one or more attributes.
For example, if we have only one attribute we want to access the
size, we want to be able to doattribute_list.sizeinstead ofattribute_list[0].size.Additionally, we can also provide functionality here that we want to perform on a group of attributes, like
open()andsize().- __getattr__(attr: str) Any#
- open(allocated: bool = False) BinaryIO#
Open the data streams on a list of attributes, resident or non-resident.
- Parameters:
allocated – Use the actual stream size or the allocated stream size (i.e. include slack space or not).
- Returns:
A file-like object for the data of this list of attributes.
- size(allocated: bool = False) int#
Retrieve the data stream size for this list of attributes.
- Parameters:
allocated – Return the actual stream size or the allocated stream size (i.e. include slack space or not).
- Returns:
The requested stream size.
- dataruns() list[tuple[int, int]]#
Get the dataruns for this list of attributes.
- Raises:
TypeError – If attribute is resident.
- dissect.ntfs.util.apply_fixup(data: bytes) bytes#
Parse and apply fixup data from
MULTI_SECTOR_HEADERto the given bytes.- Parameters:
data – The bytes to fixup
- Returns:
The fixed up bytes.
- dissect.ntfs.util.ensure_volume(ntfs: dissect.ntfs.ntfs.NTFS) None#
Check if a volume is available for reading.
A volume in this context refers to a disk or other file that contains the raw NTFS data, not contained in system files like the
$MFT.- Raises:
VolumeNotAvailableError – If a volume is not available.
- dissect.ntfs.util.get_full_path(mft: dissect.ntfs.mft.Mft, name: str, parent: dissect.cstruct.Instance, seen: set[str] = None) str#
Walk up parent file references to construct a full path.
- Parameters:
mft – The MFT object to use for looking up file references.
name – The file name to use.
parent – The parent reference to start backtracking from.
- Raises:
FilenameNotAvailableError – If an MFT record has no filename.
- dissect.ntfs.util.ts_to_ns(ts: int) int#
Convert Windows timestamps to nanosecond timestamps.