`dissect.ntfs.util`¶

Module Contents¶

Classes¶

`AttributeMap`	Utility dictionary-like object for interacting with a collection of attributes.
`AttributeCollection`	Utility list-like object for interacting with a list of attributes.

Functions¶

`apply_fixup`	Parse and apply fixup data from `MULTI_SECTOR_HEADER` to the given bytes.
`ensure_volume`	Check if a volume is available for reading.
`get_full_path`	Walk up parent file references to construct a full path.
`ts_to_ns`	Convert Windows timestamps to nanosecond timestamps.
`segment_reference`	Helper to calculate the complete segment number from a cstruct MFT segment reference.
`varint`	Parse variable integers.
`bsf`	Count the number of trailing zero bits in an integer of a given size.

class dissect.ntfs.util.AttributeMap(dict=None, /, **kwargs)¶

Bases: collections.UserDict

Utility dictionary-like object for interacting with a collection of attributes.

Allows convenient accessing of attributes added to this collection. For example: - Get attributes by name, e.g. attributes.DATA to get all $DATA attributes. - Get attributes by type code enum or integer, e.g. attributes[0x80] or attributes[ATTRIBUTE_TYPE_CODE.DATA]. - Check attribute membership by enum or integer, e.g. 0x80 in attributes or ATTRIBUTE_TYPE_CODE.DATA in attributes. - Find all attributes with a given name and type, e.g. attributes.find("$I30", ATTRIBUTE_TYPE_CODE.INDEX_ROOT).

Note that any data retrieval from an AttributeMap will always succeed and return an AttributeCollection, either empty or containing one or more attributes.

__getattr__(attr: str) → AttributeCollection¶

__getitem__(item: dissect.ntfs.c_ntfs.ATTRIBUTE_TYPE_CODE | int) → AttributeCollection¶

__contains__(key: dissect.ntfs.c_ntfs.ATTRIBUTE_TYPE_CODE | int) → bool¶

add(attr: dissect.ntfs.attr.Attribute) → None¶

Add an attribute to the collection.

Note that this is the only intended way to modify the AttributeMap!

Parameters:: attr – The attribute to add.

find(name: str, attr_type: dissect.ntfs.c_ntfs.ATTRIBUTE_TYPE_CODE) → AttributeCollection¶

Find attributes by name and attribute type.

Parameters:

name – The name of the attribute to find, usually "".
attr_type – The attribute type to find.

class dissect.ntfs.util.AttributeCollection¶

Bases: list

Utility list-like object for interacting with a list of attributes.

Allows convenient access to attribute properties for a list of one or more attributes.

For example, if we have only one attribute we want to access the size, we want to be able to do attribute_list.size instead of attribute_list[0].size.

Additionally, we can also provide functionality here that we want to perform on a group of attributes, like open() and size().

__getattr__(attr: str) → Any¶

open(allocated: bool = False) → BinaryIO¶

Open the data streams on a list of attributes, resident or non-resident.

Parameters:: allocated – Use the actual stream size or the allocated stream size (i.e. include slack space or not).
Returns:: A file-like object for the data of this list of attributes.

size(allocated: bool = False) → int¶

Retrieve the data stream size for this list of attributes.

Parameters:: allocated – Return the actual stream size or the allocated stream size (i.e. include slack space or not).
Returns:: The requested stream size.

dataruns() → list[tuple[int, int]]¶

Get the dataruns for this list of attributes.

Raises:: TypeError – If attribute is resident.

dissect.ntfs.util.apply_fixup(data: bytes) → bytes¶

Parse and apply fixup data from MULTI_SECTOR_HEADER to the given bytes.

Parameters:: data – The bytes to fixup
Returns:: The fixed up bytes.

dissect.ntfs.util.ensure_volume(ntfs: dissect.ntfs.ntfs.NTFS) → None¶

Check if a volume is available for reading.

A volume in this context refers to a disk or other file that contains the raw NTFS data, not contained in system files like the $MFT.

Raises:: VolumeNotAvailableError – If a volume is not available.

dissect.ntfs.util.get_full_path(mft: dissect.ntfs.mft.Mft, name: str, parent: dissect.ntfs.c_ntfs.c_ntfs._MFT_SEGMENT_REFERENCE, seen: set[str] | None = None) → str¶

Walk up parent file references to construct a full path.

Parameters:

mft – The MFT object to use for looking up file references.
name – The file name to use.
parent – The parent reference to start backtracking from.

Raises:

FilenameNotAvailableError – If an MFT record has no filename.

dissect.ntfs.util.ts_to_ns(ts: int) → int¶: Convert Windows timestamps to nanosecond timestamps.

dissect.ntfs.util.segment_reference(reference: dissect.ntfs.c_ntfs.c_ntfs._MFT_SEGMENT_REFERENCE) → int¶

Helper to calculate the complete segment number from a cstruct MFT segment reference.

Parameters:: reference – A cstruct _MFT_SEGMENT_REFERENCE instance to return the complete segment number of.

dissect.ntfs.util.varint(buf: bytes) → int¶

Parse variable integers.

Dataruns in NTFS are stored as a tuple of variable sized integers. The size of each integer is stored in the first byte, 4 bits for each integer. This logic can be seen in AttributeHeader.dataruns.

This function only parses those variable amount of bytes into actual integers. To do that, we simply pad the bytes to 8 bytes long and parse it as a signed 64 bit integer. We pad with 0xff if the number is negative and 0x00 otherwise.

Parameters:: buf – The byte buffer to parse a varint from.

dissect.ntfs.util.bsf(value: int) → int¶

Count the number of trailing zero bits in an integer of a given size.

Parameters:: value – The integer to count trailing zero bits in.

dissect.ntfs.util¶

Module Contents¶

Classes¶

Functions¶

`dissect.ntfs.util`¶