`dissect.target.plugins.filesystem.ntfs.mft`¶

Module Contents¶

Classes¶

MftPlugin

NTFS MFT plugin.

Functions¶

`compacted_formatter`
`formatter`
`macb_aggr`

Attributes¶

`log`
`FilesystemStdCompactRecord`
`FilesystemStdRecord`
`FilesystemFilenameCompactRecord`
`FilesystemFilenameRecord`
`FilesystemMACBRecord`
`RECORD_TYPES`
`COMPACT_RECORD_TYPES`

dissect.target.plugins.filesystem.ntfs.mft.log¶

dissect.target.plugins.filesystem.ntfs.mft.FilesystemStdCompactRecord¶

dissect.target.plugins.filesystem.ntfs.mft.FilesystemStdRecord¶

dissect.target.plugins.filesystem.ntfs.mft.FilesystemFilenameCompactRecord¶

dissect.target.plugins.filesystem.ntfs.mft.FilesystemFilenameRecord¶

dissect.target.plugins.filesystem.ntfs.mft.FilesystemMACBRecord¶

dissect.target.plugins.filesystem.ntfs.mft.RECORD_TYPES¶

dissect.target.plugins.filesystem.ntfs.mft.COMPACT_RECORD_TYPES¶

class dissect.target.plugins.filesystem.ntfs.mft.MftPlugin(target)¶

Bases: dissect.target.plugin.Plugin

NTFS MFT plugin.

ntfs_filesystems¶

check_compatible() → None¶

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:: UnsupportedPluginError – If the plugin could not be loaded.

mft(compact: bool = False, fs: int | None = None, start: int = 0, end: int = -1, macb: bool = False) → Iterator[flow.record.Record]¶

Return the MFT records of all NTFS filesystems.

The Master File Table (MFT) contains primarily metadata about every file and folder on a NFTS filesystem.

If the filesystem is part of a virtual NTFS filesystem (a VirtualFilesystem with the MFT properties added to it through a “fake” NtfsFilesystem), the paths returned in the MFT records are based on the mount point of the VirtualFilesystem. This ensures that the proper original drive letter is used when available. When no drive letter can be determined, the path will show as e.g. \$fs$\fs0.

References

https://docs.microsoft.com/en-us/windows/win32/fileio/master-file-table

segments(fs: dissect.target.filesystems.ntfs.NtfsFilesystem, record_formatter: Callable, aggr: Callable, start: int, end: int) → Iterator[flow.record.Record]¶

mft_records(drive_letter: str, record: dissect.ntfs.mft.MftRecord, segment: int, path: str, owner: str, size: int, resident: bool, inuse: bool, volume_uuid: str, record_formatter: Callable) → Iterator[flow.record.Record]¶

dissect.target.plugins.filesystem.ntfs.mft.compacted_formatter(attr: dissect.ntfs.attr.Attribute, record_type: dissect.target.plugins.filesystem.ntfs.utils.InformationType, **kwargs) → Iterator[flow.record.Record]¶

dissect.target.plugins.filesystem.ntfs.mft.formatter(attr: dissect.ntfs.attr.Attribute, record_type: dissect.target.plugins.filesystem.ntfs.utils.InformationType, **kwargs) → Iterator[flow.record.Record]¶

dissect.target.plugins.filesystem.ntfs.mft.macb_aggr(records: list[flow.record.Record]) → Iterator[flow.record.Record]¶

dissect.target.plugins.filesystem.ntfs.mft¶

Module Contents¶

Classes¶

Functions¶

Attributes¶

`dissect.target.plugins.filesystem.ntfs.mft`¶