dissect.target.plugins.filesystem.ntfs.mft

Module Contents

Classes

MftPlugin

NTFS MFT plugin.

Functions

iter_records
compact_formatter
default_formatter
macb_aggregator
format_timeline_info
format_body_info
format_none_value	Format the value if it is None.

Attributes

FilesystemStdCompactRecord
FilesystemStdRecord
FilesystemFilenameCompactRecord
FilesystemFilenameRecord
FilesystemMACBRecord
RECORD_TYPES
COMPACT_RECORD_TYPES
FORMAT_INFO

dissect.target.plugins.filesystem.ntfs.mft.FilesystemStdCompactRecord

dissect.target.plugins.filesystem.ntfs.mft.FilesystemStdRecord

dissect.target.plugins.filesystem.ntfs.mft.FilesystemFilenameCompactRecord

dissect.target.plugins.filesystem.ntfs.mft.FilesystemFilenameRecord

dissect.target.plugins.filesystem.ntfs.mft.FilesystemMACBRecord

dissect.target.plugins.filesystem.ntfs.mft.RECORD_TYPES

dissect.target.plugins.filesystem.ntfs.mft.COMPACT_RECORD_TYPES

dissect.target.plugins.filesystem.ntfs.mft.FORMAT_INFO

class dissect.target.plugins.filesystem.ntfs.mft.MftPlugin(target: dissect.target.target.Target)

Bases: dissect.target.plugin.Plugin

NTFS MFT plugin.

__namespace__ = 'mft'

Defines the plugin namespace.

ntfs_filesystems

check_compatible() → None

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:

UnsupportedPluginError – If the plugin could not be loaded.

records(compact: bool = False, fs: int | None = None, start: int = 0, end: int = -1, macb: bool = False) → collections.abc.Iterator[FilesystemStdRecord | FilesystemFilenameRecord | FilesystemStdCompactRecord | FilesystemFilenameCompactRecord]

Return the MFT records of all NTFS filesystems.

The Master File Table (MFT) contains primarily metadata about every file and folder on a NFTS filesystem.

If the filesystem is part of a virtual NTFS filesystem (a VirtualFilesystem with the MFT properties added to it through a “fake” NtfsFilesystem), the paths returned in the MFT records are based on the mount point of the VirtualFilesystem. This ensures that the proper original drive letter is used when available. When no drive letter can be determined, the path will show as e.g. \$fs$\fs0.

References

• https://docs.microsoft.com/en-us/windows/win32/fileio/master-file-table

__call__

Return the records of all exported methods.

Raises:

PluginError – If the subclass is not a namespace plugin.

timeline(ignore_dos: bool = False) → collections.abc.Iterator[str]

Return the MFT records of all NTFS filesystems in a human readable format (unsorted).

The Master File Table (MFT) contains metadata about every file and folder on a NFTS filesystem.

If the filesystem is part of a virtual NTFS filesystem (a VirtualFilesystem with the MFT properties added to it through a “fake” NtfsFilesystem), the paths returned in the MFT records are based on the mount point of the VirtualFilesystem. This ensures that the proper original drive letter is used when available. When no drive letter can be determined, the path will show as e.g. \$fs$\fs0.

References

• https://docs.microsoft.com/en-us/windows/win32/fileio/master-file-table

body() → collections.abc.Iterator[str]

Return the MFT records of all NTFS filesystems in bodyfile format.

The file mode is not accurate. This value was only added to indicate if a record is a file or directory.

The Master File Table (MFT) contains metadata about every file and folder on a NFTS filesystem.

If the filesystem is part of a virtual NTFS filesystem (a VirtualFilesystem with the MFT properties added to it through a “fake” NtfsFilesystem), the paths returned in the MFT records are based on the mount point of the VirtualFilesystem. This ensures that the proper original drive letter is used when available. When no drive letter can be determined, the path will show as e.g. \$fs$\fs0.

References

• https://docs.microsoft.com/en-us/windows/win32/fileio/master-file-table

• https://wiki.sleuthkit.org/index.php?title=Body_file

dissect.target.plugins.filesystem.ntfs.mft.iter_records(record: dissect.ntfs.MftRecord, segment: int, path: str, owner: str, size: int, resident: bool, inuse: bool, drive_letter: str, volume_uuid: str, record_formatter: collections.abc.Callable, target: dissect.target.target.Target) → collections.abc.Iterator[flow.record.Record]

dissect.target.plugins.filesystem.ntfs.mft.compact_formatter(attr: dissect.ntfs.attr.Attribute, record_type: dissect.target.plugins.filesystem.ntfs.utils.InformationType, **kwargs) → collections.abc.Iterator[FilesystemStdCompactRecord | FilesystemFilenameCompactRecord]

dissect.target.plugins.filesystem.ntfs.mft.default_formatter(attr: dissect.ntfs.attr.Attribute, record_type: dissect.target.plugins.filesystem.ntfs.utils.InformationType, **kwargs) → collections.abc.Iterator[FilesystemStdRecord | FilesystemFilenameRecord]

dissect.target.plugins.filesystem.ntfs.mft.macb_aggregator(records: collections.abc.Iterator[flow.record.Record]) → collections.abc.Iterator[flow.record.Record]

dissect.target.plugins.filesystem.ntfs.mft.format_timeline_info(segment: int, path: str, info: _Info, attr: dissect.ntfs.attr.FileName | dissect.ntfs.attr.StandardInformation, attr_type: dissect.target.plugins.filesystem.ntfs.utils.InformationType, idx: str = '') → collections.abc.Iterator[str]

dissect.target.plugins.filesystem.ntfs.mft.format_body_info(md5: str = '0', name: str = '0', inode: int = 0, mode_as_string: str = '0', uid: int = 0, gid: int = 0, size: int = 0, atime: int = 0, mtime: int = 0, ctime: int = 0, crtime: int = 0) → str

dissect.target.plugins.filesystem.ntfs.mft.format_none_value(value: Any) → str | Any

Format the value if it is None.