dissect.ntfs.util#
Module Contents#
Classes#
Utility dictionary-like object for interacting with a collection of attributes. |
|
Utility list-like object for interacting with a list of attributes. |
Functions#
Parse and apply fixup data from MULTI_SECTOR_HEADER to the given bytes. |
|
Check if a volume is available for reading. |
|
Walk up parent file references to construct a full path. |
|
Convert Windows timestamps to nanosecond timestamps. |
- class dissect.ntfs.util.AttributeMap(dict=None, /, **kwargs)#
Bases:
collections.UserDictUtility dictionary-like object for interacting with a collection of attributes.
Allows convenient accessing of attributes added to this collection. For example: - Get attributes by name, e.g. attributes.DATA to get all $DATA attributes. - Get attributes by type code enum or integer, e.g. attributes[0x80] or attributes[ATTRIBUTE_TYPE_CODE.DATA]. - Check attribute membership by enum or integer, e.g. 0x80 in attributes or ATTRIBUTE_TYPE_CODE.DATA in attributes. - Find all attributes with a given name and type, e.g. attributes.find(“$I30”, ATTRIBUTE_TYPE_CODE.INDEX_ROOT).
Note that any data retrieval from an
AttributeMapwill always succeed and return anAttributeCollection, either empty or containing one or more attributes.- __getattr__(attr: str) AttributeCollection#
- __getitem__(item: Union[dissect.ntfs.c_ntfs.ATTRIBUTE_TYPE_CODE, int]) AttributeCollection#
- add(attr: dissect.ntfs.attr.Attribute) None#
Add an attribute to the collection.
Note that this is the only intended way to modify the
AttributeMap!- Parameters:
attr – The attribute to add.
- find(name: str, attr_type: dissect.ntfs.c_ntfs.ATTRIBUTE_TYPE_CODE) AttributeCollection#
Find attributes by name and attribute type.
- Parameters:
name – The name of the attribute to find, usually
"".attr_type – The attribute type to find.
- class dissect.ntfs.util.AttributeCollection#
Bases:
listUtility list-like object for interacting with a list of attributes.
Allows convenient access to attribute properties for a list of one or more attributes.
For example, if we have only one attribute we want to access the “size”, we want to be able to do attribute_list.size instead of attribute_list[0].size.
Additionally, we can also provide functionality here that we want to perform on a group of attributes, like open() and size().
- __getattr__(attr: str) Any#
- open(allocated: bool = False) BinaryIO#
Open the data streams on a list of attributes, resident or non-resident.
- Parameters:
allocated – Use the actual stream size or the allocated stream size (i.e. include slack space or not).
- Returns:
A file-like object for the data of this list of attributes.
- size(allocated: bool = False) int#
Retrieve the data stream size for this list of attributes.
- Parameters:
allocated – Return the actual stream size or the allocated stream size (i.e. include slack space or not).
- Returns:
The requested stream size.
- dataruns() List[Tuple[int, int]]#
Get the dataruns for this list of attributes.
- Raises:
TypeError – If attribute is resident.
- dissect.ntfs.util.apply_fixup(data: bytes) bytes#
Parse and apply fixup data from MULTI_SECTOR_HEADER to the given bytes.
- Parameters:
data – The bytes to fixup
- Returns:
The fixed up bytes.
- dissect.ntfs.util.ensure_volume(ntfs: dissect.ntfs.ntfs.NTFS) None#
Check if a volume is available for reading.
A volume in this context refers to a disk or other file that contains the raw NTFS data, not contained in system files like the $MFT.
- Raises:
VolumeNotAvailableError – If a volume is not available.
- dissect.ntfs.util.get_full_path(mft: dissect.ntfs.mft.Mft, name: str, parent: dissect.cstruct.Instance, seen: Set[str] = None) str#
Walk up parent file references to construct a full path.
- Parameters:
mft – The MFT object to use for looking up file references.
name – The file name to use.
parent – The parent reference to start backtracking from.
- Raises:
FilenameNotAvailableError – If an MFT record has no filename.
- dissect.ntfs.util.ts_to_ns(ts: int) int#
Convert Windows timestamps to nanosecond timestamps.