dissect.ntfs.mft

Module Contents

Classes

Mft

Interact with the $MFT (Master File Table).

MftRecord

MFT record parsing and interaction.
class dissect.ntfs.mft.Mft(fh: BinaryIO, ntfs: dissect.ntfs.ntfs.NTFS | None = None)

Interact with the $MFT (Master File Table).

Parameters:

  • fh – A file-like object of the $MFT file.

  • ntfs – An optional NTFS class instance.

fh
ntfs = None
get
__call__(ref: int | str | dissect.ntfs.c_ntfs.c_ntfs._MFT_SEGMENT_REFERENCE, *args, **kwargs) MftRecord
property root: MftRecord

Return the root directory MFT record.

segments(start: int = 0, end: int = -1) collections.abc.Iterator[MftRecord]

Yield all valid MFT records, regardless if they’re allocated or not.

Parameters:

  • start – The starting segment number. Use -1 to start from the last segment.

  • end – The ending segment number. Use -1 to end with the last segment.

class dissect.ntfs.mft.MftRecord

MFT record parsing and interaction.

Use the from_fh() or from_bytes() class methods to instantiate.

ntfs: dissect.ntfs.ntfs.NTFS | None = None
segment: int | None = None
offset: int | None = None
data: bytes | None = None
header: dissect.ntfs.c_ntfs.c_ntfs._FILE_RECORD_SEGMENT_HEADER | None = None
__repr__() str
__eq__(other: object) bool
__hash__
classmethod from_fh(fh: BinaryIO, offset: int, ntfs: dissect.ntfs.ntfs.NTFS | None = None) MftRecord

Parse an MFT record from a file-like object.

Parameters:

  • fh – The file-like object to parse an MFT record from.

  • offset – The offset in the file-like object to parse the MFT record from.

  • ntfs – An optional NTFS class instance.

classmethod from_bytes(data: bytes, ntfs: dissect.ntfs.ntfs.NTFS | None = None) MftRecord

Parse an MFT record from bytes.

Parameters:

  • data – The bytes object to parse an MFT record from.

  • ntfs – An optional NTFS class instance.

Raises:

BrokenMftError – If the MFT record signature is invalid.

get(path: str) MftRecord

Retrieve a MftRecord relative to this one.

Parameters:

path – The path to lookup.

Raises:

MftNotAvailableError – If no MFT is available.

property attributes: dissect.ntfs.util.AttributeMap

Parse and return the attributes in this MFT record.

$ATTRIBUTE_LIST’s are only parsed if there’s an MFT available on the NTFS object.

Raises:

BrokenMftError – If an error occurred parsing the attributes.

property resident: bool

Return whether this record’s default $DATA attribute is resident.

property filename: str | None

Return the first file name, or None if this record has no file names.

filenames(ignore_dos: bool = False) list[str]

Return all file names of this record.

Parameters:

ignore_dos – Ignore DOS file name entries.

full_path(ignore_dos: bool = False) str | None

Return the first full path, or None if this record has no file names.

Parameters:

ignore_dos – Ignore DOS file name entries.

full_paths(ignore_dos: bool = False) list[str]

Return all full paths of this record.

Parameters:

ignore_dos – Ignore DOS file name entries.

is_dir() bool

Return whether this record is a directory.

is_file() bool

Return whether this record is a file.

is_reparse_point() bool

Return whether this record is a reparse point.

Return whether this record is a symlink reparse point.

is_mount_point() bool

Return whether this record is a mount point reparse point.

property reparse_point_name: str

Return the (printable) name of this reparse point.

property reparse_point_substitute_name: str

Return the substitute name of this reparse point.

property reparse_point_record: MftRecord

Resolve a reparse point and return the target record.

Note: absolute links (such as directory junctions) will always fail in the context of a single filesystem. Absolute links include the drive letter, of which we have no knowledge here.

open(name: str = '', attr_type: dissect.ntfs.c_ntfs.ATTRIBUTE_TYPE_CODE = ATTRIBUTE_TYPE_CODE.DATA, allocated: bool = False) BinaryIO

Open a stream on the given stream name and type.

Parameters:

  • name – The stream name, an empty string for the “default” data stream.

  • attr_type – The attribute type to open a stream on.

  • allocated – Whether to use the real stream size or the allocated stream size (i.e. include slack space).

Raises:

FileNotFoundError – If there are no attributes with the given name and type.

size(name: str = '', attr_type: dissect.ntfs.c_ntfs.ATTRIBUTE_TYPE_CODE = ATTRIBUTE_TYPE_CODE.DATA, allocated: bool = False) int

Return the stream size of the given stream name and type.

Parameters:

  • name – The stream name, an empty string for the “default” data stream.

  • attr_type – The attribute type to find the stream size of.

  • allocated – Whether to use the real stream size or the allocated stream size (i.e. include slack space).

Raises:

FileNotFoundError – If there are no attributes with the given name and type.

dataruns(name: str = '', attr_type: dissect.ntfs.c_ntfs.ATTRIBUTE_TYPE_CODE = ATTRIBUTE_TYPE_CODE.DATA) list[tuple[int, int]]

Return the dataruns of the given stream name and type.

Parameters:

  • name – The stream name, an empty string for the “default” data stream.

  • attr_type – The attribute type to get the dataruns of.

Raises:

FileNotFoundError – If there are no attributes with the given name and type.

has_stream(name: str = '', attr_type: dissect.ntfs.c_ntfs.ATTRIBUTE_TYPE_CODE = ATTRIBUTE_TYPE_CODE.DATA) bool

Return whether or not this record has attributes with the given name and type.

index(name: str) dissect.ntfs.index.Index

Open an index on this record.

Parameters:

name – The index name to open. For example, "$I30".

iterdir(dereference: bool = False, ignore_dos: bool = False) collections.abc.Iterator[dissect.ntfs.index.IndexEntry | MftRecord]

Yield directory entries of this record.

Parameters:

  • dereference – Determines whether to resolve the IndexEntry’s to MftRecord’s. This impacts performance.

  • ignore_dos – Ignore DOS file name entries.

Raises:

NotADirectoryError – If this record is not a directory.

listdir(dereference: bool = False, ignore_dos: bool = False) dict[str, dissect.ntfs.index.IndexEntry | MftRecord]

Return a dictionary of the directory entries of this record.

Parameters:

  • dereference – Determines whether to resolve the IndexEntry’s to MftRecord’s. This impacts performance.

  • ignore_dos – Ignore DOS file name entries.

Raises:

NotADirectoryError – If this record is not a directory.