dissect.target.plugins.filesystem.icat

Module Contents

Classes

ICatPlugin

Plugin to output the contents of a file based on its MFT segment or inode number.

class dissect.target.plugins.filesystem.icat.ICatPlugin(target: dissect.target.target.Target)

Bases: dissect.target.plugin.Plugin

Plugin to output the contents of a file based on its MFT segment or inode number.

FS_SUPPORTED = ('ntfs', 'xfs', 'ext', 'virtual')

check_compatible() → None

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:

UnsupportedPluginError – If the plugin could not be loaded.

icat(inum: int, fs: int | None, ads: str) → None

Output the contents of a file based on its MFT segment or inode number. Supports Alternate Data Streams

Example

# outputs contents of segment defaults to 'sysvol'
target-query <TARGET> -f icat --segment 96997

# outputs contents of inode defaults to '/'
target-query <TARGET> -f icat --inode 50947

# outputs contents of segment's ADS
target-query <TARGET> -f icat --segment 96997 --ads Zone.Identifier

# outputs contents of segment in filesystem 3 of target
target-query <TARGET> -f icat --fs 3 --segment 96997

# outputs contents of inode in filesystem 2 of target
target-query <TARGET> -f icat --fs 2 --inode 50947