dissect.target.plugins.filesystem.ntfs.usnjrnl#

Module Contents#

Classes#

UsnjrnlPlugin

Base class for plugins.

Attributes#

dissect.target.plugins.filesystem.ntfs.usnjrnl.UsnjrnlRecord#
class dissect.target.plugins.filesystem.ntfs.usnjrnl.UsnjrnlPlugin(target: dissect.target.Target)#

Bases: dissect.target.plugin.Plugin

Base class for plugins.

Plugins can optionally be namespaced by specifying the __namespace__ class attribute. Namespacing results in your plugin needing to be prefixed with this namespace when being called. For example, if your plugin has specified test as namespace and a function called example, you must call your plugin with test.example:

A Plugin class has the following private class attributes:

  • __namespace__

  • __record_descriptors__

With the following three being assigned in register():

  • __plugin__

  • __functions__

  • __exports__

Additionally, the methods and attributes of Plugin receive more private attributes by using decorators.

The export() decorator adds the following private attributes

  • __exported__

  • __output__: Set with the export() decorator.

  • __record__: Set with the export() decorator.

The internal() decorator and InternalPlugin set the __internal__ attribute. Finally. args() decorator sets the __args__ attribute.

Parameters:

target – The Target object to load the plugin for.

check_compatible() None#

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:

UnsupportedPluginError – If the plugin could not be loaded.

usnjrnl() Iterator[UsnjrnlRecord]#

Return the UsnJrnl entries of all NTFS filesystems.

The Update Sequence Number Journal (UsnJrnl) is a feature of an NTFS file system and contains information about filesystem activities. Each volume has its own UsnJrnl.

If the filesystem is part of a virtual NTFS filesystem (a VirtualFilesystem with the UsnJrnl properties added to it through a “fake” NtfsFilesystem), the paths returned in the UsnJrnl records are based on the mount point of the VirtualFilesystem. This ensures that the proper original drive letter is used when available. When no drive letter can be determined, the path will show as e.g. \$fs$\fs0.

References