def get_mft_buffer(self):
mft_lcn = self._vbr.mft_lcn()
g_logger.debug("mft: %x", mft_lcn * 4096)
mft_chunk = self._clusters[mft_lcn]
mft_record = MFTRecord(mft_chunk, 0, None, inode=INODE_MFT)
mft_data_attribute = mft_record.data_attribute()
return self.get_attribute_data(mft_data_attribute)
def get_mft_buffer(self):
mft_lcn = self._vbr.mft_lcn()
g_logger.debug("mft: %x", mft_lcn * 4096)
mft_chunk = self._clusters[mft_lcn]
mft_record = MFTRecord(mft_chunk, 0, None, inode=INODE_MFT)
mft_data_attribute = mft_record.data_attribute()
return self.get_attribute_data(mft_data_attribute)
def get_mftmirr_buffer(self):
g_logger.debug("mft mirr: %s", hex(self._vbr.mftmirr_lcn() * 4096))
mftmirr_chunk = self._clusters[self._vbr.mftmirr_lcn()]
mftmirr_mft_record = MFTRecord(mftmirr_chunk,
INODE_MFTMIRR * MFT_RECORD_SIZE,
None,
inode=INODE_MFTMIRR)
mftmirr_data_attribute = mftmirr_mft_record.data_attribute()
return self.get_attribute_data(mftmirr_data_attribute)
def main(record_filename):
logging.basicConfig(level=logging.DEBUG)
#logging.getLogger("ntfs.mft").setLevel(logging.INFO)
with Mmap(record_filename) as buf:
record = MFTRecord(buf, 0, None)
print("=== MFT Record Header")
print(record.get_all_string())
for attribute in record.attributes():
print("=== Attribute Header (type: {:s}) at offset {:s}".format(
Attribute.TYPES[attribute.type()], hex(attribute.offset())))
print(attribute.get_all_string())
if attribute.type() == ATTR_TYPE.STANDARD_INFORMATION:
print("=== STANDARD INFORMATION value")
si = StandardInformation(attribute.value(), 0, None)
print(si.get_all_string())
elif attribute.type() == ATTR_TYPE.FILENAME_INFORMATION:
print("=== FILENAME INFORMATION value")
fn = FilenameAttribute(attribute.value(), 0, None)
print(fn.get_all_string())
def main(record_filename):
logging.basicConfig(level=logging.DEBUG)
#logging.getLogger("ntfs.mft").setLevel(logging.INFO)
with Mmap(record_filename) as buf:
record = MFTRecord(buf, 0, None)
print("=== MFT Record Header")
print(record.get_all_string())
for attribute in record.attributes():
print("=== Attribute Header (type: {:s}) at offset {:s}".format(
Attribute.TYPES[attribute.type()],
hex(attribute.offset())))
print(attribute.get_all_string())
if attribute.type() == ATTR_TYPE.STANDARD_INFORMATION:
print("=== STANDARD INFORMATION value")
si = StandardInformation(attribute.value(), 0, None)
print(si.get_all_string())
elif attribute.type() == ATTR_TYPE.FILENAME_INFORMATION:
print("=== FILENAME INFORMATION value")
fn = FilenameAttribute(attribute.value(), 0, None)
print(fn.get_all_string())
def get_mft_record(self):
mft_lcn = self._vbr.mft_lcn()
g_logger.debug("mft: %x", mft_lcn * 4096)
mft_chunk = self._clusters[mft_lcn]
mft_record = MFTRecord(mft_chunk, 0, None, inode=INODE_MFT)
return mft_record
def get_mftmirr_buffer(self):
g_logger.debug("mft mirr: %s", hex(self._vbr.mftmirr_lcn() * 4096))
mftmirr_chunk = self._clusters[self._vbr.mftmirr_lcn()]
mftmirr_mft_record = MFTRecord(mftmirr_chunk, INODE_MFTMIRR * MFT_RECORD_SIZE, None, inode=INODE_MFTMIRR)
mftmirr_data_attribute = mftmirr_mft_record.data_attribute()
return self.get_attribute_data(mftmirr_data_attribute)