dissect.target.plugins.filesystem.icat

Module Contents

Classes

ICatPlugin

Plugin to output the contents of a file based on its MFT segment or inode number.

class dissect.target.plugins.filesystem.icat.ICatPlugin(target: dissect.target.Target)

Bases: dissect.target.plugin.Plugin

Plugin to output the contents of a file based on its MFT segment or inode number.

FS_SUPPORTED = ['ntfs', 'xfs', 'ext', 'virtual']

check_compatible() → None

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:

UnsupportedPluginError – If the plugin could not be loaded.

icat(inum, fs, ads)

Output the contents of a file based on its MFT segment or inode number. Supports Alternate Data Streams

Example

# outputs contents of segment defaults to ‘sysvol’ target-query <TARGET> -f icat –segment 96997

# outputs contents of inode defaults to ‘/’ target-query <TARGET> -f icat –inode 50947

# outputs contents of segment’s ADS target-query <TARGET> -f icat –segment 96997 –ads Zone.Identifier

# outputs contents of segment in filesystem 3 of target target-query <TARGET> -f icat –fs 3 –segment 96997

# outputs contents of inode in filesystem 2 of target target-query <TARGET> -f icat –fs 2 –inode 50947