def get_directory_index_inactive_entries(fs, directory):
"""
get the inactive (slack) MFT_INDEX_ENTRYs from a directory's
INDEX_ROOT and INDEX_ALLOCATION attributes
"""
if not directory.is_directory():
raise InvalidArgumentError()
# sorry, reaching
record = directory._record
ret = []
try:
indx_alloc_attr = record.attribute(ATTR_TYPE.INDEX_ALLOCATION)
indx_alloc = INDEX_ALLOCATION(fs.get_attribute_data(indx_alloc_attr),
0)
for block in indx_alloc.blocks():
for entry in block.index().slack_entries():
ret.append(entry)
except AttributeNotFoundError:
pass
try:
indx_root_attr = record.attribute(ATTR_TYPE.INDEX_ROOT)
indx_root = INDEX_ROOT(fs.get_attribute_data(indx_root_attr), 0)
for entry in indx_root.index().slack_entries():
ret.append(entry)
except AttributeNotFoundError:
pass
return ret
def get_directory_index_inactive_entries(fs, directory):
"""
get the inactive (slack) MFT_INDEX_ENTRYs from a directory's
INDEX_ROOT and INDEX_ALLOCATION attributes
"""
if not directory.is_directory():
raise InvalidArgumentError()
# sorry, reaching
record = directory._record
ret = []
try:
indx_alloc_attr = record.attribute(ATTR_TYPE.INDEX_ALLOCATION)
indx_alloc = INDEX_ALLOCATION(fs.get_attribute_data(indx_alloc_attr), 0)
for block in indx_alloc.blocks():
for entry in block.index().slack_entries():
ret.append(entry)
except AttributeNotFoundError:
pass
try:
indx_root_attr = record.attribute(ATTR_TYPE.INDEX_ROOT)
indx_root = INDEX_ROOT(fs.get_attribute_data(indx_root_attr), 0)
for entry in indx_root.index().slack_entries():
ret.append(entry)
except AttributeNotFoundError:
pass
return ret
def main(image_filename, volume_offset, path):
logging.basicConfig(level=logging.DEBUG)
#logging.getLogger("ntfs.mft").setLevel(logging.INFO)
with Mmap(image_filename) as buf:
v = FlatVolume(buf, volume_offset)
fs = NTFSFilesystem(v)
root = fs.get_root_directory()
if path == "/":
entry = root
else:
entry = root.get_path_entry(path)
if not entry.is_directory():
g_logger.error("not a directory")
return
# sorry, reaching
record = entry._record
entries = {}
try:
indx_alloc_attr = record.attribute(ATTR_TYPE.INDEX_ALLOCATION)
indx_alloc = INDEX_ALLOCATION(
fs.get_attribute_data(indx_alloc_attr), 0)
g_logger.debug("INDEX_ALLOCATION len: %s", hex(len(indx_alloc)))
g_logger.debug("alloc:\n%s", indx_alloc.get_all_string(indent=2))
indx = indx_alloc
g_logger.info("found:")
for block in indx.blocks():
for entry in block.index().entries():
ref = MREF(entry.header().mft_reference())
entries[ref] = entry.filename_information().filename()
except AttributeNotFoundError:
indx_root_attr = record.attribute(ATTR_TYPE.INDEX_ROOT)
indx_root = INDEX_ROOT(fs.get_attribute_data(indx_root_attr), 0)
g_logger.debug("INDEX_ROOT len: %s", hex(len(indx_root)))
g_logger.debug("root:\n%s", indx_root.get_all_string(indent=2))
indx = indx_root
g_logger.info("found:")
for entry in indx.index().entries():
ref = MREF(entry.header().mft_reference())
entries[ref] = entry.filename_information().filename()
for k, v in entries.iteritems():
g_logger.info(" - %s", v)
def main(image_filename, volume_offset, path):
logging.basicConfig(level=logging.DEBUG)
#logging.getLogger("ntfs.mft").setLevel(logging.INFO)
with Mmap(image_filename) as buf:
v = FlatVolume(buf, volume_offset)
fs = NTFSFilesystem(v)
root = fs.get_root_directory()
if path == "/":
entry = root
else:
entry = root.get_path_entry(path)
if not entry.is_directory():
g_logger.error("not a directory")
return
# sorry, reaching
record = entry._record
entries = {}
try:
indx_alloc_attr = record.attribute(ATTR_TYPE.INDEX_ALLOCATION)
indx_alloc = INDEX_ALLOCATION(fs.get_attribute_data(indx_alloc_attr), 0)
g_logger.debug("INDEX_ALLOCATION len: %s", hex(len(indx_alloc)))
g_logger.debug("alloc:\n%s", indx_alloc.get_all_string(indent=2))
indx = indx_alloc
g_logger.info("found:")
for block in indx.blocks():
for entry in block.index().entries():
ref = MREF(entry.header().mft_reference())
entries[ref] = entry.filename_information().filename()
except AttributeNotFoundError:
indx_root_attr = record.attribute(ATTR_TYPE.INDEX_ROOT)
indx_root = INDEX_ROOT(fs.get_attribute_data(indx_root_attr), 0)
g_logger.debug("INDEX_ROOT len: %s", hex(len(indx_root)))
g_logger.debug("root:\n%s", indx_root.get_all_string(indent=2))
indx = indx_root
g_logger.info("found:")
for entry in indx.index().entries():
ref = MREF(entry.header().mft_reference())
entries[ref] = entry.filename_information().filename()
for k, v in entries.iteritems():
g_logger.info(" - %s", v)
def get_record_children(self, record):
# we use a map here to de-dup entries with different filename types
# such as 8.3, POSIX, or Windows, but the same ultimate MFT reference
ret = {} # type: dict(int, MFTRecord)
if not record.is_directory():
return ret.values()
# TODO: cleanup the duplication here
try:
indx_alloc_attr = record.attribute(ATTR_TYPE.INDEX_ALLOCATION)
indx_alloc = INDEX_ALLOCATION(
self.get_attribute_data(indx_alloc_attr), 0)
#g_logger.debug("INDEX_ALLOCATION len: %s", hex(len(indx_alloc)))
#g_logger.debug("alloc:\n%s", indx_alloc.get_all_string(indent=2))
indx = indx_alloc
for block in indx.blocks():
for entry in block.index().entries():
ref = MREF(entry.header().mft_reference())
if ref == INODE_ROOT and \
entry.filename_information().filename() == ".":
continue
ret[ref] = self._enumerator.get_record(ref)
except AttributeNotFoundError:
indx_root_attr = record.attribute(ATTR_TYPE.INDEX_ROOT)
indx_root = INDEX_ROOT(self.get_attribute_data(indx_root_attr), 0)
indx = indx_root
for entry in indx.index().entries():
ref = MREF(entry.header().mft_reference())
if ref == INODE_ROOT and \
entry.filename_information().filename() == ".":
continue
ret[ref] = self._enumerator.get_record(ref)
return ret.values()