rawdisk.plugins.filesystems.ntfs package

Submodules

rawdisk.plugins.filesystems.ntfs.bootsector module

class rawdisk.plugins.filesystems.ntfs.bootsector.BootSector(data=None, offset=None, length=None, filename=None)

Bases: rawdisk.util.rawstruct.RawStruct

Represents NTFS Bootsector

Attributes:

oem_id (8 byte string): NTFS filesystem signature ‘NTFS ‘ bpb (Bpb): Initialized Bpb object. mft_offset (int): Offset to MFT table from the start of NTFS volume in bytes

See More:

http://ntfs.com/ntfs-partition-boot-sector.htm

rawdisk.plugins.filesystems.ntfs.bpb module

class rawdisk.plugins.filesystems.ntfs.bpb.Bpb(data=None, offset=None, filename=None)

Bases: rawdisk.util.rawstruct.RawStruct

Bios parameter block.

Attributes:

bytes_per_sector (ushort): Sector size with which the physical disc medium has been low-level formatted in bytes. sectors_per_cluster (ubyte): Number of sectors in an allocation unit. reserved_sectors (ushort): Number of sectors in the area at the start of the volume that is reserved for operating system boot code. media_descriptor (ubyte): Describes type of device used eg. floppy, harddisk (not used anymore?). total_sectors (ulonglong): Total number of sectors in the volume. mft_cluster (ulonglong): MFT table first cluster number (mft offset = volume offset + bytes_per_sector * sectors_per_cluster * mft_cluster). mft_mirror_cluster (ulonglong): Mirror MFT table cluster number. clusters_per_mft (signed char): MFT record size. Per Microsoft: If this number is positive (up to 0x7F), it represents Clusters per MFT record. If the number is negative (0x80 to 0xFF), the size of the File Record is 2 raised to the absolute value of this number. clusters_per_index (uint): Index block size. volume_serial (ulonglong): Volume serial number. checksum (uint): BPB checksum.

See More:

http://en.wikipedia.org/wiki/BIOS_parameter_block

http://ntfs.com/ntfs-partition-boot-sector.htm

http://homepage.ntlworld.com/jonathan.deboynepollard/FGA/bios-parameter-block.html

bytes_per_cluster

mft_mirror_offset

Returns:

int: Mirror MFT Table offset from the beginning of the partition in bytes

mft_offset

Returns:

int: MFT Table offset from the beginning of the partition in bytes

mft_record_size

Returns:

int: MFT record size in bytes

total_clusters

volume_size

Returns volume size in bytes

rawdisk.plugins.filesystems.ntfs.mft module

class rawdisk.plugins.filesystems.ntfs.mft.MftTable(mft_entry_size=1024, offset=None, filename=None)

Bases: object

Represents NTFS Master File Table (MFT)

Args:

offset (uint): Offset to the MFT table from disk start in bytes. mft_record_size (uint): Mft entry size in bytes (default: 1024). filename (str): A file to read the data from.

See More:

http://en.wikipedia.org/wiki/NTFS#Master_File_Table

get_entry(entry_id)

Get mft entry by index. If entry is not already loaded it will load it from file specified during MftTable initialization.

Returns:

MftEntry: initialized MftEntry.

preload_entries(count)

Loads specified number of MFT entries

Args:

count (int): Number of entries to preload.

rawdisk.plugins.filesystems.ntfs.mft_attr_header module

class rawdisk.plugins.filesystems.ntfs.mft_attr_header.MftAttrHeader(data)

Bases: rawdisk.util.rawstruct.RawStruct

Represents MFT attribute header.

Attributes:

type (uint): Attribute type. length (uint): Attribute length (including this header). non_resident_flag (ubyte): Non-resident flag (0 - resident, 1 - otherwise). length_of_name (ubyte): If attribute has name, this is name length in bytes. offset_to_name (ushort): Offset to attribute’s name in bytes. attr_name (unicode): Attribuet’s name (if it has one). flags (ushort): The attribute flags (COMPRESSION_MASK (0x00FF), SPARSE (0x8000), ENCRYPTED (0x4000)). identifier (ushort): The unique identifier for this attribute in the file record.

Resident attribute: attr_length (uint): The size of the attribute value, in bytes. attr_offset (ushort): The offset to the value from the start of the attribute record, in bytes. indexed (ubyte): Indexed flag??

Non-resident attribute: lowest_vcn (ulonglong): The lowest virtual cluster number (VCN) covered by this attribute record. highest_vcn (ulonglong): The highest VCN covered by this attribute record. data_run_offset (ushort): The offset to the mapping pairs array from the start of the attribute record, in bytes. comp_unit_size (ushort): Compression unit size = 2 x clusters. 0 implies uncompressed. alloc_size (ulonglong): The allocated size of the file, in bytes. This value is an even multiple of the cluster size. This member is not valid if the LowestVcn member is nonzero. real_size (ulonglong): The file size (highest byte that can be read plus 1), in bytes. This member is not valid if LowestVcn is nonzero. data_size (ulonglong): The valid data length (highest initialized byte plus 1), in bytes. This value is rounded to the nearest cluster boundary. This member is not valid if LowestVcn is nonzero.

See More:

http://ftp.kolibrios.org/users/Asper/docs/NTFS/ntfsdoc.html#concept_attribute_header

http://msdn.microsoft.com/en-us/library/bb470039(v=vs.85).aspx

rawdisk.plugins.filesystems.ntfs.mft_attribute module

class rawdisk.plugins.filesystems.ntfs.mft_attribute.MftAttr(data)

Bases: rawdisk.util.rawstruct.RawStruct

Base class for all MFT attributes.

Attributes:

type_str (string): String representation of attribute’s type eg. $SYSTEM_INFORMATION. header (MftAttrHeader): Initialized MftAttrHeader object.

static factory(attr_type, data)

Returns Initialized attribute object based on attr_type (eg. MftAttrStandardInformation)

Args:

attr_type (uint): Attribute type number (eg. 0x10 - $STANDARD_INFORMATION) data (byte array): Data to initialize attribute object with.

class rawdisk.plugins.filesystems.ntfs.mft_attribute.MftAttrAttributeList(data)

Bases: rawdisk.plugins.filesystems.ntfs.mft_attribute.MftAttr

class rawdisk.plugins.filesystems.ntfs.mft_attribute.MftAttrBitmap(data)

Bases: rawdisk.plugins.filesystems.ntfs.mft_attribute.MftAttr

class rawdisk.plugins.filesystems.ntfs.mft_attribute.MftAttrData(data)

Bases: rawdisk.plugins.filesystems.ntfs.mft_attribute.MftAttr

class rawdisk.plugins.filesystems.ntfs.mft_attribute.MftAttrFilename(data)

Bases: rawdisk.plugins.filesystems.ntfs.mft_attribute.MftAttr

atime_dt

ctime_dt

mtime_dt

rtime_dt

class rawdisk.plugins.filesystems.ntfs.mft_attribute.MftAttrIndexAllocation(data)

Bases: rawdisk.plugins.filesystems.ntfs.mft_attribute.MftAttr

class rawdisk.plugins.filesystems.ntfs.mft_attribute.MftAttrIndexRoot(data)

Bases: rawdisk.plugins.filesystems.ntfs.mft_attribute.MftAttr

class rawdisk.plugins.filesystems.ntfs.mft_attribute.MftAttrLoggedToolstream(data)

Bases: rawdisk.plugins.filesystems.ntfs.mft_attribute.MftAttr

class rawdisk.plugins.filesystems.ntfs.mft_attribute.MftAttrObjectId(data)

Bases: rawdisk.plugins.filesystems.ntfs.mft_attribute.MftAttr

class rawdisk.plugins.filesystems.ntfs.mft_attribute.MftAttrReparsePoint(data)

Bases: rawdisk.plugins.filesystems.ntfs.mft_attribute.MftAttr

class rawdisk.plugins.filesystems.ntfs.mft_attribute.MftAttrSecurityDescriptor(data)

Bases: rawdisk.plugins.filesystems.ntfs.mft_attribute.MftAttr

class rawdisk.plugins.filesystems.ntfs.mft_attribute.MftAttrStandardInformation(data)

Bases: rawdisk.plugins.filesystems.ntfs.mft_attribute.MftAttr

$STANDARD_INFORMATION attribute

Attributes:

ctime (ulonglong): File creation date in Microsoft FILETIME format. atime (ulonglong): Last file modification date. mtime (ulonglong): Last file MFT entry modification date. rtime (ulonglong): Last file access date. perm (uint): DOS file permissions. versions (uint): Maximum number of versions. class_id (uint): Class Id.

Note:

This attribute is always resident.

See Also:

http://ftp.kolibrios.org/users/Asper/docs/NTFS/ntfsdoc.html#attribute_standard_information

atime_dt

Returns:

datetime: File modification date in Python’s datetime format.

ctime_dt

Returns:

datetime: File creation date in Python’s datetime format.

mtime_dt

Returns:

datetime: MFT entry modification date in Python’s datetime format.

rtime_dt

Returns:

datetime: Last file access date in Python’s datetime format.

class rawdisk.plugins.filesystems.ntfs.mft_attribute.MftAttrVolumeInfo(data)

Bases: rawdisk.plugins.filesystems.ntfs.mft_attribute.MftAttr

class rawdisk.plugins.filesystems.ntfs.mft_attribute.MftAttrVolumeName(data)

Bases: rawdisk.plugins.filesystems.ntfs.mft_attribute.MftAttr

rawdisk.plugins.filesystems.ntfs.mft_entry module

class rawdisk.plugins.filesystems.ntfs.mft_entry.MftEntry(data=None, offset=None, length=None, filename=None, index=None)

Bases: rawdisk.util.rawstruct.RawStruct

Represents MFT table entry.

Attributes:

offset (uint): MFT entry offset starting from the beginning of disk in bytes. attributes (list): List of initialized mft attribute objects (eg. MftAttrStandardInformation). header (MftEntryHeader): Initialized MftEntryHeader.

is_directory

is_file

is_in_use

lookup_attribute(attr_type_id)

used_size

rawdisk.plugins.filesystems.ntfs.mft_entry_header module

class rawdisk.plugins.filesystems.ntfs.mft_entry_header.MftEntryHeader(data)

Bases: rawdisk.util.rawstruct.RawStruct

Represents MFT entry header.

Attributes:

file_signature (string): Entry signature (4 bytes) (eg. ‘FILE’ or ‘BAAD’). update_seq_array_offset (ushort): The offset to the update sequence array, from the start of this structure. The update sequence array must end before the last USHORT value in the first sector. update_seq_array_size (ushort): The size of the update sequence array, in bytes. logfile_seq_number (ulonglong): ?? (reserved in Microsoft website) seq_number (ushort): The sequence number. This value is incremented each time that a file record segment is freed; it is 0 if the segment is not used. hard_link_count (ushort): ?? (reserved in Microsoft website) first_attr_offset (ushort): The offset of the first attribute record, in bytes. flags (ushort): The file flags (FILE_RECORD_SEGMENT_IN_USE (0x0001), FILE_FILE_NAME_INDEX_PRESENT (0x0002)). base_file_record (ulonglong): A file reference to the base file record segment for this file. If this is the base file record, the value is 0.

See Also:

http://msdn.microsoft.com/en-us/library/bb470124(v=vs.85).aspx

rawdisk.plugins.filesystems.ntfs.ntfs module

class rawdisk.plugins.filesystems.ntfs.ntfs.NtfsPlugin

Bases: rawdisk.plugins.categories.IFilesystemPlugin

Filesystem plugin for NTFS partition.

detect(filename, offset)

Verifies NTFS filesystem signature.

Returns:

bool: True if filesystem signature at offset 0x03 matches ‘NTFS ‘, False otherwise.

get_volume_object()

Returns NtfsVolume object.

register()

Registers this plugin with FilesystemDetector as gpt plugin, with type guid {EBD0A0A2-B9E5-4433-87C0-68B6B72699C7} and as mbr plugin with type id 0x07

rawdisk.plugins.filesystems.ntfs.ntfs_volume module

class rawdisk.plugins.filesystems.ntfs.ntfs_volume.NtfsVolume

Bases: rawdisk.filesystems.volume.Volume

Represents NTFS volume.

Attributes:

offset (uint): offset to the partition from the start of the disk in bytes fd (fd): file descriptor that is used to load volume information bootsector (BootSector): initialized BootSector object. mft_table (MftTable): initialized MftTable object

See More:

http://en.wikipedia.org/wiki/NTFS

dump_volume()

load(filename, offset)

Loads NTFS volume information

Args:

filename (str): Path to file/device to read the volume information from. offset (uint): Valid NTFS partition offset from the beginning of the file/device.

Raises:

IOError: If source file/device does not exist or is not readable

mft_mirror_offset

Returns: int: MFT Mirror Table offset from the beginning of the disk in bytes

mft_table_offset

Returns:

int: MFT Table offset from the beginning of the disk in bytes

size

Returns:

int: Total size of NTFS volume in bytes

Module contents