Basic Usage¶
Loading data file¶
In order to start filesystem analysis, you need to create Session
instance:
from rawdisk.session import Session
session = Session()
session.load('sample_images/ntfs_mbr.vhd')
Last line looks through available filesystem plugins in rawdisk/plugins/filesystem. If filesystem is matched, it initializes plugin’s volume object. In order to print a list of available partitions (will only show those that were matched), type:
for volume in session.volumes:
print(volume)
Type: NTFS, Offset: 0x10000, Size: 7.00MB, MFT Table Offset: 0x265000
Show selected volume information¶
To print selected volume information:
ntfs_vol = session.volumes[0]
ntfs_vol.dump_volume()
Output:
Volume Information
Volume Name: NTFS Volume
Volume Version: 3.1
Volume Size: 7.00MB
Volume Offset: 0x10000
Total Sectors: 14335
Total Clusters: 1791
MFT Offset: 0x265000 (from beginning of volume)
MFT Mirror Offset: 0x2000
MFT Record Size: 1.00KB
MFT Size: 0.87MB (12% of drive)
Analysing selected partition¶
r.partitions is a list that contains matched volume objects. For example to get NTFS volume object (NtfsVolume
)from the listing above:
ntfs_vol = session.volumes[0]
To get $MFT entry (index: 0):
mft = ntfs_vol.mft_table.get_entry(0)
mft.hexdump()
Output:
00000000: 46 49 4C 45 30 00 03 00 82 4D 10 00 00 00 00 00 FILE0....M......
00000010: 01 00 01 00 38 00 01 00 A0 01 00 00 00 04 00 00 ....8...........
00000020: 00 00 00 00 00 00 00 00 07 00 00 00 00 00 00 00 ................
00000030: 02 00 FF 00 00 00 00 00 10 00 00 00 60 00 00 00 ............`...
00000040: 00 00 18 00 00 00 00 00 48 00 00 00 18 00 00 00 ........H.......
00000050: F8 58 8A 44 11 01 D0 01 F8 58 8A 44 11 01 D0 01 .X.D.....X.D....
00000060: F8 58 8A 44 11 01 D0 01 F8 58 8A 44 11 01 D0 01 .X.D.....X.D....
00000070: 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000080: 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 ................
<...>
To print a list of attributes belonging to this $MFT entry:
for attr in mft.attributes:
print attr
Output:
Type: $STANDARD_INFORMATION Name: N/A Resident Size: 96
Type: $FILE_NAME Name: N/A Resident Size: 104
Type: $DATA Name: N/A Non-Resident Size: 80
Type: $BITMAP Name: N/A Non-Resident Size: 72