rawdisk.plugins.filesystems.ntfs package

Submodules

rawdisk.plugins.filesystems.ntfs.headers module

class rawdisk.plugins.filesystems.ntfs.headers.BIOS_PARAMETER_BLOCK[source]

Bases: _ctypes.Structure

Bios parameter block.

bytes_per_sector

ushort – Sector size with which the physical disc medium has been low-level formatted in bytes.

sectors_per_cluster

ubyte – Number of sectors in an allocation unit.

reserved_sectors

ushort – Number of sectors in the area at the start of the volume that is reserved for operating system boot code.

media_descriptor

ubyte – Describes type of device used eg. floppy,

harddisk

not used anymore?

total_sectors

ulonglong – Total number of sectors in the volume.

mft_cluster

ulonglong – MFT table first cluster number (mft offset = volume offset + bytes_per_sector * sectors_per_cluster * mft_cluster).

mft_mirror_cluster

ulonglong – Mirror MFT table cluster number.

clusters_per_mft

signed char – MFT record size. Per Microsoft: If this number is positive (up to 0x7F), it represents Clusters per MFT record. If the number is negative (0x80 to 0xFF), the size of the File Record is 2 raised to the absolute value of this number.

clusters_per_index

uint – Index block size.

volume_serial

ulonglong – Volume serial number.

checksum

uint – BPB checksum.

See More:
http://en.wikipedia.org/wiki/BIOS_parameter_block
http://ntfs.com/ntfs-partition-boot-sector.htm
bytes_per_sector

Structure/Union member

heads

Structure/Union member

hidden_sectors

Structure/Union member

media_type

Structure/Union member

reserved_sectors

Structure/Union member

sectors_per_cluster

Structure/Union member

sectors_per_track

Structure/Union member

total_sectors

Structure/Union member

class rawdisk.plugins.filesystems.ntfs.headers.EXTENDED_BIOS_PARAMETER_BLOCK[source]

Bases: _ctypes.Structure

clusters_per_index

Structure/Union member

clusters_per_mft

Structure/Union member

mft_cluster

Structure/Union member

mft_mirror_cluster

Structure/Union member

volume_serial

Structure/Union member

class rawdisk.plugins.filesystems.ntfs.headers.MFT_RECORD_HEADER[source]

Bases: _ctypes.Structure

Represents MFT entry header.

file_signature

string – Entry signature (4 bytes) (eg. ‘FILE’ or ‘BAAD’).

update_seq_array_offset

ushort – The offset to the update sequence array, from the start of this structure. The update sequence array must end before the last USHORT value in the first sector.

update_seq_array_size

ushort – The size of the update sequence array, in bytes.

logfile_seq_number

ulonglong – ?? (reserved in Microsoft website)

seq_number

ushort – The sequence number. This value is incremented each time that a file record segment is freed; it is 0 if the segment is not used.

ushort – ?? (reserved in Microsoft website)

first_attr_offset

ushort – The offset of the first attribute record, in bytes.

flags

ushort – The file flags (FILE_RECORD_SEGMENT_IN_USE (0x0001), FILE_FILE_NAME_INDEX_PRESENT (0x0002)).

base_file_record

ulonglong – A file reference to the base file record segment for this file. If this is the base file record, the value is 0.

See also

http://msdn.microsoft.com/en-us/library/bb470124(v=vs.85).aspx

allocated_size

Structure/Union member

base_file_record

Structure/Union member

first_attr_offset

Structure/Union member

flags

Structure/Union member

hard_link_count

Structure/Union member

logfile_seq_number

Structure/Union member

mft_record_number

Structure/Union member

next_attr_id

Structure/Union member

seq_number

Structure/Union member

signature

Structure/Union member

upd_seq_array_offset

Structure/Union member

upd_seq_array_size

Structure/Union member

used_size

Structure/Union member

rawdisk.plugins.filesystems.ntfs.bootsector module

class rawdisk.plugins.filesystems.ntfs.bootsector.BootSector(data=None, offset=None, length=None, filename=None)[source]

Bases: rawdisk.util.rawstruct.RawStruct

Represents NTFS Bootsector

oem_id

8 byte string – NTFS filesystem signature ‘NTFS ‘

bpb

Bpb – Initialized Bpb object.

mft_offset

int – Offset to MFT table from the start of NTFS volume in bytes

See More:
http://ntfs.com/ntfs-partition-boot-sector.htm
bytes_per_cluster
mft_mirror_offset

**Returns* – int* – Mirror MFT Table offset from the beginning of the partition in bytes

mft_offset

**Returns* – int* – MFT Table offset from the beginning of the partition in bytes

mft_record_size

**Returns* – int* – MFT record size in bytes

total_clusters
volume_size

Returns volume size in bytes

rawdisk.plugins.filesystems.ntfs.mft module

class rawdisk.plugins.filesystems.ntfs.mft.MftTable(mft_entry_size=1024, offset=None, filename=None)[source]

Bases: object

Represents NTFS Master File Table (MFT)

Parameters:
  • offset (uint) – Offset to the MFT table from disk start in bytes.
  • mft_record_size (uint) – Mft entry size in bytes (default: 1024).
  • filename (str) – A file to read the data from.
See More:
http://en.wikipedia.org/wiki/NTFS#Master_File_Table
get_entry(entry_id)[source]

Get mft entry by index. If entry is not already loaded it will load it from file specified during MftTable initialization.

Returns:initialized MftEntry.
Return type:MftEntry
preload_entries(count)[source]

Loads specified number of MFT entries

Parameters:count (int) – Number of entries to preload.

rawdisk.plugins.filesystems.ntfs.mft_attr_header module

class rawdisk.plugins.filesystems.ntfs.mft_attr_header.MftAttrHeader(data)[source]

Bases: rawdisk.util.rawstruct.RawStruct

Represents MFT attribute header.

type

uint – Attribute type.

length

uint – Attribute length (including this header).

non_resident_flag

ubyte – Non-resident flag (0 - resident, 1 - otherwise).

length_of_name

ubyte – If attribute has name, this is name length in bytes.

offset_to_name

ushort – Offset to attribute’s name in bytes.

attr_name

unicode – Attribuet’s name (if it has one).

flags

ushort – The attribute flags (COMPRESSION_MASK (0x00FF), SPARSE (0x8000), ENCRYPTED (0x4000)).

identifier

ushort – The unique identifier for this attribute in the file record.

Resident attribute
attr_length

uint – The size of the attribute value, in bytes.

attr_offset

ushort – The offset to the value from the start of the attribute record, in bytes.

indexed

ubyte – Indexed flag??

Non-resident attribute
lowest_vcn

ulonglong – The lowest virtual cluster number (VCN) covered by this attribute record.

highest_vcn

ulonglong – The highest VCN covered by this attribute record.

data_run_offset

ushort – The offset to the mapping pairs array from the start of the attribute record, in bytes.

comp_unit_size

ushort – Compression unit size = 2 x clusters. 0 implies uncompressed.

alloc_size

ulonglong – The allocated size of the file, in bytes. This value is an even multiple of the cluster size. This member is not valid if the LowestVcn member is nonzero.

real_size

ulonglong – The file size (highest byte that can be read plus 1), in bytes. This member is not valid if LowestVcn is nonzero.

data_size

ulonglong – The valid data length (highest initialized byte plus 1), in bytes. This value is rounded to the nearest cluster boundary. This member is not valid if LowestVcn is nonzero.

See More:
http://ftp.kolibrios.org/users/Asper/docs/NTFS/ntfsdoc.html#concept_attribute_header
http://msdn.microsoft.com/en-us/library/bb470039(v=vs.85).aspx

rawdisk.plugins.filesystems.ntfs.mft_attribute module

class rawdisk.plugins.filesystems.ntfs.mft_attribute.MftAttr(data)[source]

Bases: rawdisk.util.rawstruct.RawStruct

Base class for all MFT attributes.

type_str

string – String representation of attribute’s type eg. $SYSTEM_INFORMATION.

header

MftAttrHeader – Initialized MftAttrHeader object.

static factory(attr_type, data)[source]

Returns Initialized attribute object based on attr_type (eg. MftAttrStandardInformation)

Parameters:
  • attr_type (uint) – Attribute type number (eg. 0x10 - $STANDARD_INFORMATION)
  • data (byte array) – Data to initialize attribute object with.
class rawdisk.plugins.filesystems.ntfs.mft_attribute.MftAttrAttributeList(data)[source]

Bases: rawdisk.plugins.filesystems.ntfs.mft_attribute.MftAttr

class rawdisk.plugins.filesystems.ntfs.mft_attribute.MftAttrBitmap(data)[source]

Bases: rawdisk.plugins.filesystems.ntfs.mft_attribute.MftAttr

class rawdisk.plugins.filesystems.ntfs.mft_attribute.MftAttrData(data)[source]

Bases: rawdisk.plugins.filesystems.ntfs.mft_attribute.MftAttr

class rawdisk.plugins.filesystems.ntfs.mft_attribute.MftAttrFilename(data)[source]

Bases: rawdisk.plugins.filesystems.ntfs.mft_attribute.MftAttr

atime_dt
ctime_dt
mtime_dt
rtime_dt
class rawdisk.plugins.filesystems.ntfs.mft_attribute.MftAttrIndexAllocation(data)[source]

Bases: rawdisk.plugins.filesystems.ntfs.mft_attribute.MftAttr

class rawdisk.plugins.filesystems.ntfs.mft_attribute.MftAttrIndexRoot(data)[source]

Bases: rawdisk.plugins.filesystems.ntfs.mft_attribute.MftAttr

class rawdisk.plugins.filesystems.ntfs.mft_attribute.MftAttrLoggedToolstream(data)[source]

Bases: rawdisk.plugins.filesystems.ntfs.mft_attribute.MftAttr

class rawdisk.plugins.filesystems.ntfs.mft_attribute.MftAttrObjectId(data)[source]

Bases: rawdisk.plugins.filesystems.ntfs.mft_attribute.MftAttr

class rawdisk.plugins.filesystems.ntfs.mft_attribute.MftAttrReparsePoint(data)[source]

Bases: rawdisk.plugins.filesystems.ntfs.mft_attribute.MftAttr

class rawdisk.plugins.filesystems.ntfs.mft_attribute.MftAttrSecurityDescriptor(data)[source]

Bases: rawdisk.plugins.filesystems.ntfs.mft_attribute.MftAttr

class rawdisk.plugins.filesystems.ntfs.mft_attribute.MftAttrStandardInformation(data)[source]

Bases: rawdisk.plugins.filesystems.ntfs.mft_attribute.MftAttr

$STANDARD_INFORMATION attribute

ctime

ulonglong – File creation date in Microsoft FILETIME format.

atime

ulonglong – Last file modification date.

mtime

ulonglong – Last file MFT entry modification date.

rtime

ulonglong – Last file access date.

perm

uint – DOS file permissions.

versions

uint – Maximum number of versions.

class_id

uint – Class Id.

Note

This attribute is always resident.

See also

http://ftp.kolibrios.org/users/Asper/docs/NTFS/ntfsdoc.html#attribute_standard_information

atime_dt

**Returns* – datetime* – File modification date in Python’s datetime format.

ctime_dt

**Returns* – datetime* – File creation date in Python’s datetime format.

mtime_dt

**Returns* – datetime* – MFT entry modification date in Python’s datetime format.

rtime_dt

**Returns* – datetime* – Last file access date in Python’s datetime format.

class rawdisk.plugins.filesystems.ntfs.mft_attribute.MftAttrVolumeInfo(data)[source]

Bases: rawdisk.plugins.filesystems.ntfs.mft_attribute.MftAttr

class rawdisk.plugins.filesystems.ntfs.mft_attribute.MftAttrVolumeName(data)[source]

Bases: rawdisk.plugins.filesystems.ntfs.mft_attribute.MftAttr

rawdisk.plugins.filesystems.ntfs.mft_entry module

class rawdisk.plugins.filesystems.ntfs.mft_entry.MftEntry(data=None, offset=None, length=None, filename=None, index=None)[source]

Bases: rawdisk.util.rawstruct.RawStruct

Represents MFT table entry.

offset

uint – MFT entry offset starting from the beginning of disk in bytes.

attributes

list – List of initialized mft attribute objects (eg. MftAttrStandardInformation).

header

MftEntryHeader – Initialized MftEntryHeader.

is_directory
is_file
is_in_use
lookup_attribute(attr_type_id)[source]
used_size

rawdisk.plugins.filesystems.ntfs.ntfs module

class rawdisk.plugins.filesystems.ntfs.ntfs.Ntfs[source]

Bases: rawdisk.plugins.categories.IFilesystemPlugin

Filesystem plugin for NTFS partition.

detect(filename, offset, standalone=False)[source]

Verifies NTFS filesystem signature.

Returns:True if filesystem signature at offset 0x03 matches ‘NTFS ‘, False otherwise.
Return type:bool
get_volume_object()[source]

Returns NtfsVolume object.

gpt_identifiers

Should return a list (usually one) of GPT identifiers that are used to detect this volume

mbr_identifiers

Should return a list (usually one) of MBR identifiers that are used to detect this volume

rawdisk.plugins.filesystems.ntfs.ntfs_volume module

class rawdisk.plugins.filesystems.ntfs.ntfs_volume.NtfsVolume[source]

Bases: rawdisk.filesystems.volume.Volume

Represents NTFS volume.

offset

uint – offset to the partition from the start of the disk in bytes

fd

fd – file descriptor that is used to load volume information

bootsector

BootSector – initialized BootSector object.

mft_table

MftTable – initialized MftTable object

See More:
http://en.wikipedia.org/wiki/NTFS
dump_volume()[source]

Print volume information to std output, similar to ntfsprogs_1.22 package

load(filename, offset)[source]

Loads NTFS volume information

Parameters:
  • filename (str) – Path to file/device to read the volume information from.
  • offset (uint) – Valid NTFS partition offset from the beginning of the file/device.
Raises:

IOError – If source file/device does not exist or is not readable
mft_mirror_offset

**Returns* – int* – MFT Mirror Table offset from the beginning of the disk in bytes

mft_table_offset

**Returns* – int* – MFT Table offset from the beginning of the disk in bytes

size

**Returns* – int* – Total size of NTFS volume in bytes

Module contents