Documentation ¶
Overview ¶
Package mft provides functions to parse records and their attributes in an NTFS Master File Table ("MFT" for short).
Basic usage ¶
First parse a record using mft.ParseRecord(), which parses the record header and the attribute headers. Then parse each attribute's data individually using the various mft.Parse...() functions.
// Error handling left out for brevity record, err := mft.ParseRecord() attrs, err := record.FindAttributes(mft.AttributeTypeFileName) fileName, err := mft.ParseFileName(attrs[0])
Index ¶
- func ConvertFileTime(timeValue uint64) time.Time
- func DataRunsToFragments(runs []DataRun, bytesPerCluster int) []fragment.Fragment
- type Attribute
- type AttributeFlags
- type AttributeListEntry
- type AttributeType
- type CollationType
- type DataRun
- type FileAttribute
- type FileName
- type FileNameNamespace
- type FileReference
- type IndexEntry
- type IndexRoot
- type Record
- type RecordFlag
- type StandardInformation
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func ConvertFileTime ¶
ConvertFileTime converts a Windows "file time" to a time.Time. A "file time" is a 64-bit value that represents the number of 100-nanosecond intervals that have elapsed since 12:00 A.M. January 1, 1601 Coordinated Universal Time (UTC). See also: https://docs.microsoft.com/en-us/windows/win32/sysinfo/file-times
func DataRunsToFragments ¶
DataRunsToFragments transform a list of DataRuns with relative offsets and lengths specified in cluster into a list of fragment.Fragment elements with absolute offsets and lengths specified in bytes (for example for use in a fragment.Reader). Note that data will probably not align to a cluster exactly so there could be some padding at the end. It is up to the user of the Fragments to limit reads to actual data size (eg. by using an io.LimitedReader or modifying the last element in the list to limit its length).
Types ¶
type Attribute ¶
type Attribute struct { Type AttributeType Resident bool Name string Flags AttributeFlags AttributeId int AllocatedSize uint64 ActualSize uint64 Data []byte }
Attribute represents an MFT record attribute header and its corresponding raw attribute Data (excluding header data). When the attribute is Resident, the Data contains the actual attribute's data. When the attribute is non-resident, the Data contains DataRuns pointing to the actual data. DataRun data can be parsed using ParseDataRuns().
func ParseAttribute ¶
ParseAttribute parses bytes into an Attribute. The data is assumed to be in Little Endian order. Only the attribute headers are parsed, not the actual attribute data.
func ParseAttributes ¶
ParseAttributes parses bytes into Attributes. The data is assumed to be in Little Endian order. Only the attribute headers are parsed, not the actual attribute data.
type AttributeFlags ¶
type AttributeFlags uint16
AttributeFlags represents a bit mask flag indicating various properties of an attribute's data.
const ( AttributeFlagsCompressed AttributeFlags = 0x0001 AttributeFlagsEncrypted AttributeFlags = 0x4000 AttributeFlagsSparse AttributeFlags = 0x8000 )
Bit values for the AttributeFlags. For example, an encrypted, compressed attribute has value 0x4001.
func (*AttributeFlags) Is ¶
func (f *AttributeFlags) Is(c AttributeFlags) bool
Is checks if this AttributeFlags's bit mask contains the specified flag.
type AttributeListEntry ¶
type AttributeListEntry struct { Type AttributeType Name string StartingVCN uint64 BaseRecordReference FileReference AttributeId uint16 }
AttributeListEntry represents an entry in an $ATTRIBUTE_LIST attribute. The Type indicates the attribute type, while the BaseRecordReference indicates which MFT record the attribute is located in (ie. an "extension record", if it is not the same as the one where the $ATTRIBUTE_LIST is located).
func ParseAttributeList ¶
func ParseAttributeList(b []byte) ([]AttributeListEntry, error)
ParseAttributeList parses the data of a $ATTRIBUTE_LIST attribute's data (type AttributeTypeAttributeList) into a list of AttributeListEntry. Note that no additional correctness checks are done, so it's up to the caller to ensure the passed data actually represents a $ATTRIBUTE_LIST attribute's data.
type AttributeType ¶
type AttributeType uint32
AttributeType represents the type of an Attribute. Use Name() to get the attribute type's name.
const ( AttributeTypeStandardInformation AttributeType = 0x10 // $STANDARD_INFORMATION; always resident AttributeTypeAttributeList AttributeType = 0x20 // $ATTRIBUTE_LIST; mixed residency AttributeTypeFileName AttributeType = 0x30 // $FILE_NAME; always resident AttributeTypeObjectId AttributeType = 0x40 // $OBJECT_ID; always resident AttributeTypeSecurityDescriptor AttributeType = 0x50 // $SECURITY_DESCRIPTOR; always resident? AttributeTypeVolumeName AttributeType = 0x60 // $VOLUME_NAME; always resident? AttributeTypeVolumeInformation AttributeType = 0x70 // $VOLUME_INFORMATION; never resident? AttributeTypeData AttributeType = 0x80 // $DATA; mixed residency AttributeTypeIndexRoot AttributeType = 0x90 // $INDEX_ROOT; always resident AttributeTypeIndexAllocation AttributeType = 0xa0 // $INDEX_ALLOCATION; never resident? AttributeTypeBitmap AttributeType = 0xb0 // $BITMAP; nearly always resident? AttributeTypeReparsePoint AttributeType = 0xc0 // $REPARSE_POINT; always resident? AttributeTypeEAInformation AttributeType = 0xd0 // $EA_INFORMATION; always resident AttributeTypeEA AttributeType = 0xe0 // $EA; nearly always resident? AttributeTypePropertySet AttributeType = 0xf0 // $PROPERTY_SET AttributeTypeLoggedUtilityStream AttributeType = 0x100 // $LOGGED_UTILITY_STREAM; always resident AttributeTypeTerminator AttributeType = 0xFFFFFFFF // Indicates the last attribute in a list; will not actually be returned by ParseAttributes )
Known values for AttributeType. Note that other values might occur too.
func (AttributeType) Name ¶
func (at AttributeType) Name() string
Name returns a string representation of the attribute type. For example "$STANDARD_INFORMATION" or "$FILE_NAME". For anyte attribute type which is unknown, Name will return "unknown".
type CollationType ¶
type CollationType uint32
CollationType indicates how the entries in an index should be ordered.
const ( CollationTypeBinary CollationType = 0x00000000 CollationTypeFileName CollationType = 0x00000001 CollationTypeUnicodeString CollationType = 0x00000002 CollationTypeNtofsULong CollationType = 0x00000010 CollationTypeNtofsSid CollationType = 0x00000011 CollationTypeNtofsSecurityHash CollationType = 0x00000012 CollationTypeNtofsUlongs CollationType = 0x00000013 )
type DataRun ¶
A DataRun represents a fragment of data somewhere on a volume. The OffsetCluster, which can be negative, is relative to a previous DataRun's offset. The OffsetCluster of the first DataRun in a list is relative to the beginning of the volume.
func ParseDataRuns ¶
ParseDataRuns parses bytes into a list of DataRuns. Each DataRun's OffsetCluster is relative to the DataRun before it. The first element's OffsetCluster is relative to the beginning of the volume.
type FileAttribute ¶
type FileAttribute uint32
FileAttribute represents a bit mask of various file attributes.
const ( FileAttributeReadOnly FileAttribute = 0x0001 FileAttributeHidden FileAttribute = 0x0002 FileAttributeSystem FileAttribute = 0x0004 FileAttributeArchive FileAttribute = 0x0020 FileAttributeDevice FileAttribute = 0x0040 FileAttributeNormal FileAttribute = 0x0080 FileAttributeTemporary FileAttribute = 0x0100 FileAttributeSparseFile FileAttribute = 0x0200 FileAttributeReparsePoint FileAttribute = 0x0400 FileAttributeCompressed FileAttribute = 0x1000 FileAttributeOffline FileAttribute = 0x1000 FileAttributeNotContentIndexed FileAttribute = 0x2000 FileAttributeEncrypted FileAttribute = 0x4000 )
Bit values for FileAttribute. For example, a normal, hidden file has value 0x0082.
func (*FileAttribute) Is ¶
func (a *FileAttribute) Is(c FileAttribute) bool
Is checks if this FileAttribute's bit mask contains the specified attribute value.
type FileName ¶
type FileName struct { ParentFileReference FileReference Creation time.Time FileLastModified time.Time MftLastModified time.Time LastAccess time.Time AllocatedSize uint64 ActualSize uint64 Flags FileAttribute ExtendedData uint32 Namespace FileNameNamespace Name string }
FileName represents the data of a $FILE_NAME attribute. ParentFileReference points to the MFT record that is the parent (ie. containing directory of this file). The AllocatedSize and ActualSize may be zero, in which case the file size may be found in a $DATA attribute instead (it could also be the ActualSize is zero, while the AllocatedSize does contain a value).
func ParseFileName ¶
ParseFileName parses the data of a $FILE_NAME attribute's data (type AttributeTypeFileName) into FileName. Note that no additional correctness checks are done, so it's up to the caller to ensure the passed data actually represents a $FILE_NAME attribute's data.
type FileNameNamespace ¶
type FileNameNamespace byte
FileNameNamespace indicates the namespace of a $FILE_NAME attribute's file name.
const ( FileNameNamespacePosix FileNameNamespace = 0 FileNameNamespaceWin32 FileNameNamespace = 1 FileNameNamespaceDos FileNameNamespace = 2 FileNameNamespaceWin32Dos FileNameNamespace = 3 )
type FileReference ¶
A FileReference represents a reference to an MFT record. Since the FileReference in a Record is only 4 bytes, the RecordNumber will probably not exceed 32 bits.
func ParseFileReference ¶
func ParseFileReference(b []byte) (FileReference, error)
ParseFileReference parses a Little Endian ordered 8-byte slice into a FileReference. The first 6 bytes indicate the record number, while the final 2 bytes indicate the sequence number.
type IndexEntry ¶
type IndexEntry struct { FileReference FileReference Flags uint32 FileName FileName SubNodeVCN uint64 }
IndexEntry represents an entry in an B+tree index. Currently only $FILE_NAME attribute entries are supported. The FileReference points to the MFT record of the indexed file.
type IndexRoot ¶
type IndexRoot struct { AttributeType AttributeType CollationType CollationType BytesPerRecord uint32 ClustersPerRecord uint32 Flags uint32 Entries []IndexEntry }
IndexRoot represents the data (header and entries) of an $INDEX_ROOT attribute, which typically is the root of a directory's B+tree index containing file names of the directory (but could be use for other types of indices, too). The AttributeType is the type of attributes that are contained in the entries (currently only $FILE_NAME attributes are supported).
func ParseIndexRoot ¶
ParseIndexRoot parses the data of a $INDEX_ROOT attribute's data (type AttributeTypeIndexRoot) into IndexRoot. Note that no additional correctness checks are done, so it's up to the caller to ensure the passed data actually represents a $INDEX_ROOT attribute's data.
type Record ¶
type Record struct { Signature []byte FileReference FileReference BaseRecordReference FileReference LogFileSequenceNumber uint64 HardLinkCount int Flags RecordFlag ActualSize uint32 AllocatedSize uint32 NextAttributeId int Attributes []Attribute }
A Record represents an MFT entry, excluding all technical data (such as "offset to first attribute"). The Attributes list only contains the attribute headers and raw data; the attribute data has to be parsed separately. When this is a base record, the BaseRecordReference will be zero. When it is an extension record, the BaseRecordReference points to the record's base record.
func ParseRecord ¶
ParseRecord parses bytes into a Record after applying fixup. The data is assumed to be in Little Endian order. Only the attribute headers are parsed, not the actual attribute data.
func (*Record) FindAttributes ¶
func (r *Record) FindAttributes(attrType AttributeType) []Attribute
FindAttributes returns all attributes of the specified type contained in this record. When no matches are found an empty slice is returned.
type RecordFlag ¶
type RecordFlag uint16
RecordFlag represents a bit mask flag indicating the status of the MFT record.
const ( RecordFlagInUse RecordFlag = 0x0001 RecordFlagIsDirectory RecordFlag = 0x0002 RecordFlagInExtend RecordFlag = 0x0004 RecordFlagIsIndex RecordFlag = 0x0008 )
Bit values for the RecordFlag. For example, an in-use directory has value 0x0003.
func (*RecordFlag) Is ¶
func (f *RecordFlag) Is(c RecordFlag) bool
Is checks if this RecordFlag's bit mask contains the specified flag.
type StandardInformation ¶
type StandardInformation struct { Creation time.Time FileLastModified time.Time MftLastModified time.Time LastAccess time.Time FileAttributes FileAttribute MaximumNumberOfVersions uint32 VersionNumber uint32 ClassId uint32 OwnerId uint32 SecurityId uint32 QuotaCharged uint64 UpdateSequenceNumber uint64 }
StandardInformation represents the data contained in a $STANDARD_INFORMATION attribute.
func ParseStandardInformation ¶
func ParseStandardInformation(b []byte) (StandardInformation, error)
ParseStandardInformation parses the data of a $STANDARD_INFORMATION attribute's data (type AttributeTypeStandardInformation) into StandardInformation. Note that no additional correctness checks are done, so it's up to the caller to ensure the passed data actually represents a $STANDARD_INFORMATION attribute's data.