dissect.target.plugins.filesystem.icat#
Module Contents#
Classes#
Plugin to output the contents of a file based on its MFT segment or inode number. |
- class dissect.target.plugins.filesystem.icat.ICatPlugin(target: dissect.target.Target)#
Bases:
dissect.target.plugin.PluginPlugin to output the contents of a file based on its MFT segment or inode number.
- FS_SUPPORTED = ['ntfs', 'xfs', 'ext', 'virtual']#
- check_compatible()#
Perform a compatibility check with the target.
This function should return
Noneif the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise anUnsupportedPluginError.- Raises:
UnsupportedPluginError – If the plugin could not be loaded.
- icat(inum, fs, ads)#
Output the contents of a file based on its MFT segment or inode number. Supports Alternate Data Streams
Example
# outputs contents of segment defaults to ‘sysvol’ target-query <TARGET> -f icat –segment 96997
# outputs contents of inode defaults to ‘/’ target-query <TARGET> -f icat –inode 50947
# outputs contents of segment’s ADS target-query <TARGET> -f icat –segment 96997 –ads Zone.Identifier
# outputs contents of segment in filesystem 3 of target target-query <TARGET> -f icat –fs 3 –segment 96997
# outputs contents of inode in filesystem 2 of target target-query <TARGET> -f icat –fs 2 –inode 50947