Exemplo n.º 1
0
 def get_mft_buffer(self):
     mft_lcn = self._vbr.mft_lcn()
     g_logger.debug("mft: %x", mft_lcn * 4096)
     mft_chunk = self._clusters[mft_lcn]
     mft_record = MFTRecord(mft_chunk, 0, None, inode=INODE_MFT)
     mft_data_attribute = mft_record.data_attribute()
     return self.get_attribute_data(mft_data_attribute)
Exemplo n.º 2
0
 def get_mft_buffer(self):
     mft_lcn = self._vbr.mft_lcn()
     g_logger.debug("mft: %x", mft_lcn * 4096)
     mft_chunk = self._clusters[mft_lcn]
     mft_record = MFTRecord(mft_chunk, 0, None, inode=INODE_MFT)
     mft_data_attribute = mft_record.data_attribute()
     return self.get_attribute_data(mft_data_attribute)
Exemplo n.º 3
0
 def get_mftmirr_buffer(self):
     g_logger.debug("mft mirr: %s", hex(self._vbr.mftmirr_lcn() * 4096))
     mftmirr_chunk = self._clusters[self._vbr.mftmirr_lcn()]
     mftmirr_mft_record = MFTRecord(mftmirr_chunk,
                                    INODE_MFTMIRR * MFT_RECORD_SIZE,
                                    None,
                                    inode=INODE_MFTMIRR)
     mftmirr_data_attribute = mftmirr_mft_record.data_attribute()
     return self.get_attribute_data(mftmirr_data_attribute)
Exemplo n.º 4
0
def main(record_filename):
    logging.basicConfig(level=logging.DEBUG)
    #logging.getLogger("ntfs.mft").setLevel(logging.INFO)

    with Mmap(record_filename) as buf:
        record = MFTRecord(buf, 0, None)
        print("=== MFT Record Header")
        print(record.get_all_string())

        for attribute in record.attributes():
            print("=== Attribute Header (type: {:s}) at offset {:s}".format(
                Attribute.TYPES[attribute.type()], hex(attribute.offset())))
            print(attribute.get_all_string())

            if attribute.type() == ATTR_TYPE.STANDARD_INFORMATION:
                print("=== STANDARD INFORMATION value")
                si = StandardInformation(attribute.value(), 0, None)
                print(si.get_all_string())

            elif attribute.type() == ATTR_TYPE.FILENAME_INFORMATION:
                print("=== FILENAME INFORMATION value")
                fn = FilenameAttribute(attribute.value(), 0, None)
                print(fn.get_all_string())
Exemplo n.º 5
0
def main(record_filename):
    logging.basicConfig(level=logging.DEBUG)
    #logging.getLogger("ntfs.mft").setLevel(logging.INFO)

    with Mmap(record_filename) as buf:
        record = MFTRecord(buf, 0, None)
        print("=== MFT Record Header")
        print(record.get_all_string())

        for attribute in record.attributes():
            print("=== Attribute Header (type: {:s}) at offset {:s}".format(
                Attribute.TYPES[attribute.type()],
                hex(attribute.offset())))
            print(attribute.get_all_string())

            if attribute.type() == ATTR_TYPE.STANDARD_INFORMATION:
                print("=== STANDARD INFORMATION value")
                si = StandardInformation(attribute.value(), 0, None)
                print(si.get_all_string())

            elif attribute.type() == ATTR_TYPE.FILENAME_INFORMATION:
                print("=== FILENAME INFORMATION value")
                fn = FilenameAttribute(attribute.value(), 0, None)
                print(fn.get_all_string())
Exemplo n.º 6
0
 def get_mft_record(self):
     mft_lcn = self._vbr.mft_lcn()
     g_logger.debug("mft: %x", mft_lcn * 4096)
     mft_chunk = self._clusters[mft_lcn]
     mft_record = MFTRecord(mft_chunk, 0, None, inode=INODE_MFT)
     return mft_record
Exemplo n.º 7
0
 def get_mftmirr_buffer(self):
     g_logger.debug("mft mirr: %s", hex(self._vbr.mftmirr_lcn() * 4096))
     mftmirr_chunk = self._clusters[self._vbr.mftmirr_lcn()]
     mftmirr_mft_record = MFTRecord(mftmirr_chunk, INODE_MFTMIRR * MFT_RECORD_SIZE, None, inode=INODE_MFTMIRR)
     mftmirr_data_attribute = mftmirr_mft_record.data_attribute()
     return self.get_attribute_data(mftmirr_data_attribute)