def decodeFNAttribute(s, localtz, record): hexFlag = False # File name attributes can have null dates. d = {} d['par_ref'] = struct.unpack( "<Lxx", s[:6] )[0] # Parent reference nummber + seq number = 8 byte "File reference to the parent directory." d['par_seq'] = struct.unpack("<H", s[6:8])[0] # Parent sequence number d['crtime'] = mftutils.WindowsTime( struct.unpack("<L", s[8:12])[0], struct.unpack("<L", s[12:16])[0], localtz) d['mtime'] = mftutils.WindowsTime( struct.unpack("<L", s[16:20])[0], struct.unpack("<L", s[20:24])[0], localtz) d['ctime'] = mftutils.WindowsTime( struct.unpack("<L", s[24:28])[0], struct.unpack("<L", s[28:32])[0], localtz) d['atime'] = mftutils.WindowsTime( struct.unpack("<L", s[32:36])[0], struct.unpack("<L", s[36:40])[0], localtz) d['alloc_fsize'] = struct.unpack("<q", s[40:48])[0] d['real_fsize'] = struct.unpack("<q", s[48:56])[0] d['flags'] = struct.unpack("<d", s[56:64])[0] # 0x01=NTFS, 0x02=DOS d['nlen'] = struct.unpack("B", s[64])[0] d['nspace'] = struct.unpack("B", s[65])[0] bytes = s[66:66 + d['nlen'] * 2] try: d['name'] = bytes.decode('utf-16').encode('utf-8') except: d['name'] = 'UnableToDecodeFilename' return d
def decodeSIAttribute(s, localtz): d = {} d['crtime'] = mftutils.WindowsTime( struct.unpack("<L", s[:4])[0], struct.unpack("<L", s[4:8])[0], localtz) d['mtime'] = mftutils.WindowsTime( struct.unpack("<L", s[8:12])[0], struct.unpack("<L", s[12:16])[0], localtz) d['ctime'] = mftutils.WindowsTime( struct.unpack("<L", s[16:20])[0], struct.unpack("<L", s[20:24])[0], localtz) d['atime'] = mftutils.WindowsTime( struct.unpack("<L", s[24:28])[0], struct.unpack("<L", s[28:32])[0], localtz) d['dos'] = struct.unpack("<I", s[32:36])[0] # 4 d['maxver'] = struct.unpack("<I", s[36:40])[0] # 4 d['ver'] = struct.unpack("<I", s[40:44])[0] # 4 d['class_id'] = struct.unpack("<I", s[44:48])[0] # 4 d['own_id'] = struct.unpack("<I", s[48:52])[0] # 4 d['sec_id'] = struct.unpack("<I", s[52:56])[0] # 4 d['quota'] = struct.unpack("<d", s[56:64])[0] # 8 d['usn'] = struct.unpack("<d", s[64:72])[0] # 8 - end of date to here is 40 return d
def decode_si_attribute(s, localtz): d = { 'crtime': mftutils.WindowsTime(struct.unpack("<L", s[:4])[0], struct.unpack("<L", s[4:8])[0], localtz), 'mtime': mftutils.WindowsTime(struct.unpack("<L", s[8:12])[0], struct.unpack("<L", s[12:16])[0], localtz), 'ctime': mftutils.WindowsTime(struct.unpack("<L", s[16:20])[0], struct.unpack("<L", s[20:24])[0], localtz), 'atime': mftutils.WindowsTime(struct.unpack("<L", s[24:28])[0], struct.unpack("<L", s[28:32])[0], localtz), 'dos': struct.unpack("<I", s[32:36])[0], 'maxver': struct.unpack("<I", s[36:40])[0], 'ver': struct.unpack("<I", s[40:44])[0], 'class_id': struct.unpack("<I", s[44:48])[0], 'own_id': struct.unpack("<I", s[48:52])[0], 'sec_id': struct.unpack("<I", s[52:56])[0], 'quota': struct.unpack("<d", s[56:64])[0], 'usn': struct.unpack("<d", s[64:72])[0], } return d
def decode_fn_attribute(s, localtz, _): # File name attributes can have null dates. d = { 'par_ref': struct.unpack("<Lxx", s[:6])[0], 'par_seq': struct.unpack("<H", s[6:8])[0], 'crtime': mftutils.WindowsTime( struct.unpack("<L", s[8:12])[0], struct.unpack("<L", s[12:16])[0], localtz), 'mtime': mftutils.WindowsTime( struct.unpack("<L", s[16:20])[0], struct.unpack("<L", s[20:24])[0], localtz), 'ctime': mftutils.WindowsTime( struct.unpack("<L", s[24:28])[0], struct.unpack("<L", s[28:32])[0], localtz), 'atime': mftutils.WindowsTime( struct.unpack("<L", s[32:36])[0], struct.unpack("<L", s[36:40])[0], localtz), 'alloc_fsize': struct.unpack("<q", s[40:48])[0], 'real_fsize': struct.unpack("<q", s[48:56])[0], 'flags': struct.unpack("<d", s[56:64])[0], 'nlen': struct.unpack("B", s[64])[0], 'nspace': struct.unpack("B", s[65])[0], } attr_bytes = s[66:66 + d['nlen'] * 2] try: d['name'] = attr_bytes.decode('utf-16').encode('utf-8') except: d['name'] = 'UnableToDecodeFilename' return d