dissect.ntfs.index¶
Module Contents¶
Classes¶
Generic enumeration. |
|
Open an index with he given name on the given MFT record. |
|
Represents the |
|
Represent an index buffer in |
|
Parse and interact with index entries. |
- class dissect.ntfs.index.Match¶
Bases:
enum.EnumGeneric enumeration.
Derive from this class to define new enumerations.
- Less¶
- Equal¶
- Greater¶
- class dissect.ntfs.index.Index(record: dissect.ntfs.mft.MftRecord, name: str)¶
Open an index with he given name on the given MFT record.
- Parameters:
name – The index to open.
- Raises:
FileNotFoundError – If no index with that name can be found.
- record¶
- name¶
- root¶
- index_buffer¶
- __iter__() collections.abc.Iterator[IndexEntry]¶
- search(value: Any, exact: bool = True, cmp: Callable[[IndexEntry, Any], Match] | None = None) IndexEntry¶
Perform a binary search on this index.
Returns the matching node if performing an exact search. Otherwise return the first match that is greater than the search value.
- Parameters:
value – The key to search.
exact – Result must be an exact match.
cmp – Optional custom comparator function.
- Raises:
NotImplementedError – If there is no collation (comparator) function for the collation rule of this index.
KeyError – If an exact match was requested but not found.
- entries() collections.abc.Iterator[IndexEntry]¶
Yield all
IndexEntry’s in thisIndex.
- class dissect.ntfs.index.IndexRoot(index: Index, fh: BinaryIO)¶
Represents the
$INDEX_ROOT.- Parameters:
index – The
Index`class instance thisIndexRootbelongs to.fh – The file-like object to parse an index root on.
- index¶
- fh¶
- header¶
- property attribute_type: dissect.ntfs.c_ntfs.ATTRIBUTE_TYPE_CODE¶
Return the indexed attribute type.
- property collation_rule: dissect.ntfs.c_ntfs.COLLATION¶
Return the collation rule.
- property bytes_per_index_buffer: int¶
Return the size of an index buffer in the index allocation in bytes.
- property clusters_per_index_buffer: int¶
Return the size of an index buffer in the index allocation in clusters.
- entries() collections.abc.Iterator[IndexEntry]¶
Yield all
IndexEntry’s in thisIndexRoot.
- class dissect.ntfs.index.IndexBuffer(index: Index, fh: BinaryIO, offset: int, size: int)¶
Represent an index buffer in
$INDEX_ALLOCATION.- Parameters:
- Raises:
EOFError – If there’s not enough data available to read an index buffer.
BrokenIndexError – If the index buffer doesn’t start with the expected magic value.
- index¶
- offset¶
- size¶
- data¶
- header¶
- entries() collections.abc.Iterator[IndexEntry]¶
Yield all
IndexEntry’s in thisIndexBuffer.
- class dissect.ntfs.index.IndexEntry(index: Index, fh: BinaryIO, offset: int)¶
Parse and interact with index entries.
- Parameters:
index – The
Indexclass instance thisIndexEntrybelongs to.fh – The file-like object to parse an index entry on.
offset – The offset in the file-like object to parse an index entry at.
- index¶
- fh¶
- offset¶
- header¶
- buf¶
- dereference() dissect.ntfs.mft.MftRecord¶
Dereference this
IndexEntryto the MFT record it points to.Note that the file reference is a union with the data part so only access this if you know the entry has a file reference and not a data part.
- Raises:
MftNotAvailableError – If no MFT is available.
- property data: bytes¶
Return the data part of this entry.
Note that the data part is a union with the file reference, so only access this if you know the entry has data and not a file reference.
- property attribute: dissect.ntfs.attr.AttributeRecord | None¶
Return the
dissect.ntfs.attr.AttributeRecordof the attribute contained in this entry.
- property is_end: bool¶
Return whether this entry marks the end.
- property is_node: bool¶
Return whether this entry is a node.
- property node_vcn: int¶
Return the node VCN if this entry is a node.
- property length: int¶
Return the length of this index entry.
- property key_length: int¶
Return the length of this index entry.