dissect.target.plugins.filesystem.ntfs.mft

Module Contents

Classes

MftPlugin

Base class for plugins.

Functions

compacted_formatter
formatter

Attributes

log
FilesystemStdCompactRecord
FilesystemStdRecord
FilesystemFilenameCompactRecord
FilesystemFilenameRecord
RECORD_TYPES
COMPACT_RECORD_TYPES

dissect.target.plugins.filesystem.ntfs.mft.log

dissect.target.plugins.filesystem.ntfs.mft.FilesystemStdCompactRecord

dissect.target.plugins.filesystem.ntfs.mft.FilesystemStdRecord

dissect.target.plugins.filesystem.ntfs.mft.FilesystemFilenameCompactRecord

dissect.target.plugins.filesystem.ntfs.mft.FilesystemFilenameRecord

dissect.target.plugins.filesystem.ntfs.mft.RECORD_TYPES

dissect.target.plugins.filesystem.ntfs.mft.COMPACT_RECORD_TYPES

class dissect.target.plugins.filesystem.ntfs.mft.MftPlugin(target: dissect.target.Target)

Bases: dissect.target.plugin.Plugin

Base class for plugins.

Plugins can optionally be namespaced by specifying the __namespace__ class attribute. Namespacing results in your plugin needing to be prefixed with this namespace when being called. For example, if your plugin has specified test as namespace and a function called example, you must call your plugin with test.example:

A Plugin class has the following private class attributes:

• __namespace__

• __record_descriptors__

With the following three being assigned in register():

• __plugin__

• __functions__

• __exports__

Additionally, the methods and attributes of Plugin receive more private attributes by using decorators.

The export() decorator adds the following private attributes

• __exported__

• __output__: Set with the export() decorator.

• __record__: Set with the export() decorator.

The internal() decorator and InternalPlugin set the __internal__ attribute. Finally. args() decorator sets the __args__ attribute.

Parameters:

target – The Target object to load the plugin for.

check_compatible() → None

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:

UnsupportedPluginError – If the plugin could not be loaded.

mft(compact: bool = False)

Return the MFT records of all NTFS filesystems.

The Master File Table (MFT) contains primarily metadata about every file and folder on a NFTS filesystem.

References

• https://docs.microsoft.com/en-us/windows/win32/fileio/master-file-table

mft_records(drive_letter: str, record: dissect.ntfs.mft.MftRecord, segment: int, path: str, owner: str, size: int, resident: bool, inuse: bool, volume_uuid: str, record_formatter: Callable)

dissect.target.plugins.filesystem.ntfs.mft.compacted_formatter(attr: dissect.ntfs.attr.Attribute, record_type: dissect.target.plugins.filesystem.ntfs.utils.InformationType, **kwargs)

dissect.target.plugins.filesystem.ntfs.mft.formatter(attr: dissect.ntfs.attr.Attribute, record_type: dissect.target.plugins.filesystem.ntfs.utils.InformationType, **kwargs)