Ejemplo n.º 1
0
def get_directory_index_inactive_entries(fs, directory):
    """
    get the inactive (slack) MFT_INDEX_ENTRYs from a directory's
    INDEX_ROOT and INDEX_ALLOCATION attributes
    """
    if not directory.is_directory():
        raise InvalidArgumentError()

    # sorry, reaching
    record = directory._record

    ret = []

    try:
        indx_alloc_attr = record.attribute(ATTR_TYPE.INDEX_ALLOCATION)
        indx_alloc = INDEX_ALLOCATION(fs.get_attribute_data(indx_alloc_attr),
                                      0)
        for block in indx_alloc.blocks():
            for entry in block.index().slack_entries():
                ret.append(entry)
    except AttributeNotFoundError:
        pass

    try:
        indx_root_attr = record.attribute(ATTR_TYPE.INDEX_ROOT)
        indx_root = INDEX_ROOT(fs.get_attribute_data(indx_root_attr), 0)
        for entry in indx_root.index().slack_entries():
            ret.append(entry)
    except AttributeNotFoundError:
        pass

    return ret
Ejemplo n.º 2
0
def get_directory_index_inactive_entries(fs, directory):
    """
    get the inactive (slack) MFT_INDEX_ENTRYs from a directory's
    INDEX_ROOT and INDEX_ALLOCATION attributes
    """
    if not directory.is_directory():
        raise InvalidArgumentError()

    # sorry, reaching
    record = directory._record

    ret = []

    try:
        indx_alloc_attr = record.attribute(ATTR_TYPE.INDEX_ALLOCATION)
        indx_alloc = INDEX_ALLOCATION(fs.get_attribute_data(indx_alloc_attr), 0)
        for block in indx_alloc.blocks():
            for entry in block.index().slack_entries():
                ret.append(entry)
    except AttributeNotFoundError:
        pass

    try:
        indx_root_attr = record.attribute(ATTR_TYPE.INDEX_ROOT)
        indx_root = INDEX_ROOT(fs.get_attribute_data(indx_root_attr), 0)
        for entry in indx_root.index().slack_entries():
            ret.append(entry)
    except AttributeNotFoundError:
        pass

    return ret
Ejemplo n.º 3
0
def main(image_filename, volume_offset, path):
    logging.basicConfig(level=logging.DEBUG)
    #logging.getLogger("ntfs.mft").setLevel(logging.INFO)

    with Mmap(image_filename) as buf:
        v = FlatVolume(buf, volume_offset)
        fs = NTFSFilesystem(v)
        root = fs.get_root_directory()

        if path == "/":
            entry = root
        else:
            entry = root.get_path_entry(path)

        if not entry.is_directory():
            g_logger.error("not a directory")
            return

        # sorry, reaching
        record = entry._record

        entries = {}
        try:
            indx_alloc_attr = record.attribute(ATTR_TYPE.INDEX_ALLOCATION)
            indx_alloc = INDEX_ALLOCATION(
                fs.get_attribute_data(indx_alloc_attr), 0)
            g_logger.debug("INDEX_ALLOCATION len: %s", hex(len(indx_alloc)))
            g_logger.debug("alloc:\n%s", indx_alloc.get_all_string(indent=2))
            indx = indx_alloc

            g_logger.info("found:")
            for block in indx.blocks():
                for entry in block.index().entries():
                    ref = MREF(entry.header().mft_reference())
                    entries[ref] = entry.filename_information().filename()

        except AttributeNotFoundError:
            indx_root_attr = record.attribute(ATTR_TYPE.INDEX_ROOT)
            indx_root = INDEX_ROOT(fs.get_attribute_data(indx_root_attr), 0)
            g_logger.debug("INDEX_ROOT len: %s", hex(len(indx_root)))
            g_logger.debug("root:\n%s", indx_root.get_all_string(indent=2))
            indx = indx_root

            g_logger.info("found:")
            for entry in indx.index().entries():
                ref = MREF(entry.header().mft_reference())
                entries[ref] = entry.filename_information().filename()

        for k, v in entries.iteritems():
            g_logger.info("  - %s", v)
Ejemplo n.º 4
0
def main(image_filename, volume_offset, path):
    logging.basicConfig(level=logging.DEBUG)
    #logging.getLogger("ntfs.mft").setLevel(logging.INFO)

    with Mmap(image_filename) as buf:
        v = FlatVolume(buf, volume_offset)
        fs = NTFSFilesystem(v)
        root = fs.get_root_directory()

        if path == "/":
            entry = root
        else:
            entry = root.get_path_entry(path)

        if not entry.is_directory():
            g_logger.error("not a directory")
            return

        # sorry, reaching
        record = entry._record

        entries = {}
        try:
            indx_alloc_attr = record.attribute(ATTR_TYPE.INDEX_ALLOCATION)
            indx_alloc = INDEX_ALLOCATION(fs.get_attribute_data(indx_alloc_attr), 0)
            g_logger.debug("INDEX_ALLOCATION len: %s", hex(len(indx_alloc)))
            g_logger.debug("alloc:\n%s", indx_alloc.get_all_string(indent=2))
            indx = indx_alloc

            g_logger.info("found:")
            for block in indx.blocks():
                for entry in block.index().entries():
                    ref = MREF(entry.header().mft_reference())
                    entries[ref] = entry.filename_information().filename()

        except AttributeNotFoundError:
            indx_root_attr = record.attribute(ATTR_TYPE.INDEX_ROOT)
            indx_root = INDEX_ROOT(fs.get_attribute_data(indx_root_attr), 0)
            g_logger.debug("INDEX_ROOT len: %s", hex(len(indx_root)))
            g_logger.debug("root:\n%s", indx_root.get_all_string(indent=2))
            indx = indx_root

            g_logger.info("found:")
            for entry in indx.index().entries():
                ref = MREF(entry.header().mft_reference())
                entries[ref] = entry.filename_information().filename()

        for k, v in entries.iteritems():
            g_logger.info("  - %s", v)
Ejemplo n.º 5
0
    def get_record_children(self, record):
        # we use a map here to de-dup entries with different filename types
        #  such as 8.3, POSIX, or Windows,  but the same ultimate MFT reference
        ret = {}  # type: dict(int, MFTRecord)
        if not record.is_directory():
            return ret.values()

        # TODO: cleanup the duplication here
        try:
            indx_alloc_attr = record.attribute(ATTR_TYPE.INDEX_ALLOCATION)
            indx_alloc = INDEX_ALLOCATION(
                self.get_attribute_data(indx_alloc_attr), 0)
            #g_logger.debug("INDEX_ALLOCATION len: %s", hex(len(indx_alloc)))
            #g_logger.debug("alloc:\n%s", indx_alloc.get_all_string(indent=2))
            indx = indx_alloc

            for block in indx.blocks():
                for entry in block.index().entries():
                    ref = MREF(entry.header().mft_reference())
                    if ref == INODE_ROOT and \
                       entry.filename_information().filename() == ".":
                        continue
                    ret[ref] = self._enumerator.get_record(ref)

        except AttributeNotFoundError:
            indx_root_attr = record.attribute(ATTR_TYPE.INDEX_ROOT)
            indx_root = INDEX_ROOT(self.get_attribute_data(indx_root_attr), 0)
            indx = indx_root

            for entry in indx.index().entries():
                ref = MREF(entry.header().mft_reference())
                if ref == INODE_ROOT and \
                   entry.filename_information().filename() == ".":
                    continue
                ret[ref] = self._enumerator.get_record(ref)

        return ret.values()