GoFor_MFT_Parser

package module

v0.0.0-...-8c9a74e Latest Latest Go to latest Published: Jun 12, 2019 License: MPL-2.0 Imports: 14 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/AlecRandazzo/Gofor-MFT-Parser

README ¶

GoFor-MFT-Parser

Work in progress...

Documentation ¶

Index ¶

func ConvertLittleEndianByteSliceToInt64(inBytes []byte) (outInt64 int64)
func ConvertLittleEndianByteSliceToUInt64(inBytes []byte) (outUint64 uint64)
func CreateDirectoryList(inboundBuffer *chan []byte, directoryListChannel *chan map[uint64]Directory, ...)
func ParseMFT(mftFilePath, outFileName string) (err error)
func ParseTimestamp(timestampBytes []byte) (timestamp string)
type AttributeInfo
type DataAttributes
type DataRun
type Directory
type DirectoryList
type FileNameAttributes
type FileNameFlags
type MappedDirectories
type MasterFileTableRecord
- func (mftRecord *MasterFileTableRecord) CheckForRecordHeader() (recordHeaderPresent bool)
- func (mftRecord *MasterFileTableRecord) GetAttributeList() (err error)
- func (mftRecord *MasterFileTableRecord) GetDataAttribute() (err error)
- func (mftRecord *MasterFileTableRecord) GetFileNameAttributes() (err error)
- func (mftRecord *MasterFileTableRecord) GetRecordHeader()
- func (mftRecord *MasterFileTableRecord) GetStandardInformationAttribute() (err error)
- func (mftRecord *MasterFileTableRecord) ParseMFTRecord() (err error)
- func (mftRecord *MasterFileTableRecord) QuickDirectoryCheck()
- func (mftRecord *MasterFileTableRecord) TrimMFTRecordSlackSpace()
type MftFile
- func (file *MftFile) BuildDirectoryTree() (err error)
- func (file *MftFile) CombineDirectoryInformation(directoryListChannel *chan map[uint64]Directory, ...)
- func (file MftFile) MftToCSV(outFileName string, waitgroup *sync.WaitGroup) (err error)
type NonResidentDataAttributes
type RawDataRun
type RawDataRunList
type RecordHeader
type ResidentDataAttributes
type StandardInformationAttributes

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func ConvertLittleEndianByteSliceToInt64 ¶

func ConvertLittleEndianByteSliceToInt64(inBytes []byte) (outInt64 int64)

Convert a byte slice to a little endian int64.

func ConvertLittleEndianByteSliceToUInt64 ¶

func ConvertLittleEndianByteSliceToUInt64(inBytes []byte) (outUint64 uint64)

Convert a byte slice to a little endian uint64.

func CreateDirectoryList ¶

func CreateDirectoryList(inboundBuffer *chan []byte, directoryListChannel *chan map[uint64]Directory, waitGroup *sync.WaitGroup)

Creates a list of directories from a channel of MFR record bytes.

func ParseMFT ¶

func ParseMFT(mftFilePath, outFileName string) (err error)

Parse an already extracted MFT and write the results to a file.

func ParseTimestamp ¶

func ParseTimestamp(timestampBytes []byte) (timestamp string)

Parse a byte slice containing a unix timestamp and convert it to a timestamp string.

Types ¶

type AttributeInfo ¶

type AttributeInfo struct {
	AttributeType  byte
	AttributeBytes []byte
}

type DataAttributes ¶

type DataAttributes struct {
	TotalSize                 uint8
	FlagResident              bool
	ResidentDataAttributes    ResidentDataAttributes
	NonResidentDataAttributes NonResidentDataAttributes
}

type DataRun ¶

type DataRun struct {
	AbsoluteOffset int64
	Length         int64
}

type Directory ¶

type Directory struct {
	DirectoryName      string
	ParentRecordNumber uint64
}

type DirectoryList ¶

type DirectoryList map[uint64]Directory

type FileNameAttributes ¶

type FileNameAttributes struct {
	FnCreated               string
	FnModified              string
	FnAccessed              string
	FnChanged               string
	FlagResident            bool
	FlagNamed               bool
	NamedSize               byte
	AttributeSize           uint32
	ParentDirRecordNumber   uint64
	ParentDirSequenceNumber uint16
	LogicalFileSize         uint64
	PhysicalFileSize        uint64
	FileNameFlags           FileNameFlags
	FileNameLength          byte
	FileNamespace           string
	FileName                string
}

type FileNameFlags ¶

type FileNameFlags struct {
	ReadOnly          bool
	Hidden            bool
	System            bool
	Archive           bool
	Device            bool
	Normal            bool
	Temporary         bool
	Sparse            bool
	Reparse           bool
	Compressed        bool
	Offline           bool
	NotContentIndexed bool
	Encrypted         bool
	Directory         bool
	IndexView         bool
}

type MappedDirectories ¶

type MappedDirectories map[uint64]string

type MasterFileTableRecord ¶

type MasterFileTableRecord struct {
	BytesPerCluster               int64
	RecordHeader                  RecordHeader
	StandardInformationAttributes StandardInformationAttributes
	FileNameAttributes            []FileNameAttributes
	DataAttributes                DataAttributes
	MftRecordBytes                []byte
	AttributeInfo                 []AttributeInfo
}

func (*MasterFileTableRecord) CheckForRecordHeader ¶

func (mftRecord *MasterFileTableRecord) CheckForRecordHeader() (recordHeaderPresent bool)

Verifies that the bytes receives is actually an MFT record. All MFT records start with "FILE0".

func (*MasterFileTableRecord) GetAttributeList ¶

func (mftRecord *MasterFileTableRecord) GetAttributeList() (err error)

Get MFT record attributes list.

func (*MasterFileTableRecord) GetDataAttribute ¶

func (mftRecord *MasterFileTableRecord) GetDataAttribute() (err error)

func (*MasterFileTableRecord) GetFileNameAttributes ¶

func (mftRecord *MasterFileTableRecord) GetFileNameAttributes() (err error)

func (*MasterFileTableRecord) GetRecordHeader ¶

func (mftRecord *MasterFileTableRecord) GetRecordHeader()

func (*MasterFileTableRecord) GetStandardInformationAttribute ¶

func (mftRecord *MasterFileTableRecord) GetStandardInformationAttribute() (err error)

func (*MasterFileTableRecord) ParseMFTRecord ¶

func (mftRecord *MasterFileTableRecord) ParseMFTRecord() (err error)

Parse the bytes of an MFT record

func (*MasterFileTableRecord) QuickDirectoryCheck ¶

func (mftRecord *MasterFileTableRecord) QuickDirectoryCheck()

Quickly checks the bytes of an MFT record to determine if it is a Directory or not.

func (*MasterFileTableRecord) TrimMFTRecordSlackSpace ¶

func (mftRecord *MasterFileTableRecord) TrimMFTRecordSlackSpace()

Trims off slack space after end sequence 0xffffffff

type MftFile ¶

type MftFile struct {
	FileHandle        *os.File
	MappedDirectories map[uint64]string
	OutputChannel     chan MasterFileTableRecord
}

func (*MftFile) BuildDirectoryTree ¶

func (file *MftFile) BuildDirectoryTree() (err error)

Builds a list of directories for the purpose of of mapping MFT records to their parent directories.

func (*MftFile) CombineDirectoryInformation ¶

func (file *MftFile) CombineDirectoryInformation(directoryListChannel *chan map[uint64]Directory, waitForDirectoryCombination *sync.WaitGroup)

Combines a running list of directories from a channel in order to create the systems Directory trees.

func (MftFile) MftToCSV ¶

func (file MftFile) MftToCSV(outFileName string, waitgroup *sync.WaitGroup) (err error)

type NonResidentDataAttributes ¶

type NonResidentDataAttributes struct {
	StartingVCN   int
	EndingVCN     int
	OffsetDataRun int8
	AllocatedSize uint64
	RealSize      uint64
	DataRuns      map[int]DataRun
}

type RawDataRun ¶

type RawDataRun struct {
	NumberOrder      int
	ClusterOffset    int64
	NumberOfClusters int64
}

type RawDataRunList ¶

type RawDataRunList map[int]RawDataRun

type RecordHeader ¶

type RecordHeader struct {
	AttributesOffset uint16
	RecordNumber     uint32
	FlagDeleted      bool
	FlagDirectory    bool
}

type ResidentDataAttributes ¶

type ResidentDataAttributes struct {
	ResidentData []byte
}

type StandardInformationAttributes ¶

type StandardInformationAttributes struct {
	SiCreated    string
	SiModified   string
	SiAccessed   string
	SiChanged    string
	FlagResident bool
}

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
cmd
gofor-mft-parser

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL