Documentation ¶
Index ¶
- func ParseMFT(inputFile *os.File, writer ResultWriter, streamer io.Writer, ...)
- func ParseMftRecords(reader io.Reader, bytesPerCluster int64, directoryTree DirectoryTree, ...)
- type CsvResultWriter
- type DataAttribute
- type DataRun
- type DataRuns
- type DirectoryTree
- type FileNameAttribute
- type FileNameAttributes
- type FileNameFlags
- type MasterFileTableRecord
- type NonResidentDataAttribute
- type RawAttributes
- type RawDataAttribute
- type RawDataRuns
- type RawFileNameAttribute
- type RawFilenameFlags
- type RawFilenameNameSpaceFlag
- type RawMasterFileTableRecord
- func (rawMftRecord RawMasterFileTableRecord) GetRawAttributes(recordHeader RecordHeader) (rawAttributes RawAttributes, err error)
- func (rawMftRecord RawMasterFileTableRecord) GetRawRecordHeader() (rawRecordHeader RawRecordHeader, err error)
- func (rawMftRecord RawMasterFileTableRecord) IsThisADirectory() (result bool, err error)
- func (rawMftRecord RawMasterFileTableRecord) IsThisAnMftRecord() (result bool, err error)
- func (rawMftRecord RawMasterFileTableRecord) Parse(bytesPerCluster int64) (mftRecord MasterFileTableRecord, err error)
- type RawNonResidentDataAttribute
- type RawRecordHeader
- type RawRecordHeaderFlag
- type RawResidencyFlag
- type RawResidentDataAttribute
- type RawStandardInformationAttribute
- type RecordHeader
- type RecordHeaderFlags
- type ResidentDataAttribute
- type ResultWriter
- type StandardInformationAttribute
- type UnresolvedDirectoryTree
- type UsefulMftFields
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func ParseMFT ¶
Takes an input file os.File and writes the results to the io.Writer. The format of the data sent to the io.Writer is dependent on what ResultWriter is used. The bytes per cluster input is typically 4096
func ParseMftRecords ¶
func ParseMftRecords(reader io.Reader, bytesPerCluster int64, directoryTree DirectoryTree, outputChannel *chan UsefulMftFields)
Parses a stream of mft record bytes and sends the results to an output channel. Records from this output channel are popped off by the ResultWriter used in the ParseMFT() method.
Types ¶
type CsvResultWriter ¶
type CsvResultWriter struct{}
Receiver used with the ResultWriter method that would write the csv results to csv.
func (*CsvResultWriter) ResultWriter ¶
func (csvResultWriter *CsvResultWriter) ResultWriter(streamer io.Writer, outputChannel *chan UsefulMftFields, waitGroup *sync.WaitGroup)
This method that would write the csv results to csv.
type DataAttribute ¶
type DataAttribute struct { TotalSize uint8 FlagResident bool ResidentDataAttribute ResidentDataAttribute NonResidentDataAttribute NonResidentDataAttribute }
Contains information about a parsed data attribute.
type DataRun ¶
Contains a parsed data run which contains the absolute offset of where the data run resides in the volume and the length of the data run.
type DirectoryTree ¶
Contains a directory tree.
func BuildDirectoryTree ¶
func BuildDirectoryTree(reader io.Reader) (directoryTree DirectoryTree, err error)
Takes an MFT and creates a directory tree where the slice keys are the mft record number of the directory. This record number is importable because files will reference it as its parent mft record number.
type FileNameAttribute ¶
type FileNameAttribute struct { FnCreated time.Time FnModified time.Time FnAccessed time.Time FnChanged time.Time ParentDirRecordNumber uint64 LogicalFileSize uint64 PhysicalFileSize uint64 FileNameFlags FileNameFlags FileNamespace string FileName string // contains filtered or unexported fields }
Contains information about a filename attribute.
type FileNameAttributes ¶
type FileNameAttributes []FileNameAttribute
Slice that contains a list of filename attributes.
type FileNameFlags ¶
type FileNameFlags struct { ReadOnly bool Hidden bool System bool Archive bool Device bool Normal bool Temporary bool Sparse bool Reparse bool Compressed bool Offline bool NotContentIndexed bool Encrypted bool Directory bool IndexView bool }
Contains possible filename flags a file may have.
type MasterFileTableRecord ¶
type MasterFileTableRecord struct { RecordHeader RecordHeader StandardInformationAttributes StandardInformationAttribute FileNameAttributes []FileNameAttribute DataAttribute DataAttribute }
Contains information on a parsed MFT record
type NonResidentDataAttribute ¶
type NonResidentDataAttribute struct {
DataRuns DataRuns
}
Alias for a parsed non-resident data attribute.
type RawAttributes ¶
type RawAttributes []rawAttribute
Slice of rawAttribute []byte aliases. Used primarily as a method receiver for the parse() method. See here for a handy list of attributes: https://flatcap.org/linux-ntfs/ntfs/attributes/index.html
func (RawAttributes) Parse ¶
func (rawAttributes RawAttributes) Parse(bytesPerCluster int64) (fileNameAttributes FileNameAttributes, standardInformationAttribute StandardInformationAttribute, dataAttribute DataAttribute, err error)
Parses a slice of raw attributes and returns its filename, standard information, and dat attributes. It takes an argument for bytes per cluster (typically 4096) which is used for computing data run information in a data attributes.
type RawDataAttribute ¶
type RawDataAttribute []byte
Alias for a raw data attribute. Used as a receiver to the parse() method.
func (RawDataAttribute) Parse ¶
func (rawDataAttribute RawDataAttribute) Parse(bytesPerCluster int64) (nonResidentDataAttribute NonResidentDataAttribute, residentDataAttribute ResidentDataAttribute, err error)
Parses the raw data attribute receiver and returns a non resident data attribute or a resident data attribute. The bytes per cluster argument is used to calculate data run information.
type RawDataRuns ¶
type RawDataRuns []byte
Alias for a raw data runs. Used as a receiver to the parse() method. See this for more details on data runs: https://flatcap.org/linux-ntfs/ntfs/concepts/data_runs.html
type RawFileNameAttribute ¶
type RawFileNameAttribute []byte
[]byte alias for raw filename attribute. Used with the Parse() method.
func (RawFileNameAttribute) Parse ¶
func (rawFileNameAttribute RawFileNameAttribute) Parse() (filenameAttribute FileNameAttribute, err error)
Parses the raw filename attribute receiver and returns a parsed filename attribute.
type RawFilenameFlags ¶
type RawFilenameFlags []byte
[]byte alias for raw filename flags. Used with the Parse() method.
func (RawFilenameFlags) Parse ¶
func (flagBytes RawFilenameFlags) Parse() (fileNameFlags FileNameFlags)
Parses the raw filename flags receiver and returns filename flags.
type RawFilenameNameSpaceFlag ¶
type RawFilenameNameSpaceFlag byte
byte alias for raw filename namespace flag. Used with the Parse() method.
func (RawFilenameNameSpaceFlag) Parse ¶
func (fileNamespaceFlag RawFilenameNameSpaceFlag) Parse() (fileNameSpace string)
Parses the raw file namespace flag receiver and returns a file namespace value.
type RawMasterFileTableRecord ¶
type RawMasterFileTableRecord []byte
[]byte alias for raw mft record. Used with the Parse() method.
func (RawMasterFileTableRecord) GetRawAttributes ¶
func (rawMftRecord RawMasterFileTableRecord) GetRawAttributes(recordHeader RecordHeader) (rawAttributes RawAttributes, err error)
Returns the attribute bytes from an unparsed mft record which is the method receiver. It takes recordHeader as an argument since the record header contains the offset for the start of the attributes.
func (RawMasterFileTableRecord) GetRawRecordHeader ¶
func (rawMftRecord RawMasterFileTableRecord) GetRawRecordHeader() (rawRecordHeader RawRecordHeader, err error)
Gets the raw record header from a raw mft record receiver.
func (RawMasterFileTableRecord) IsThisADirectory ¶
func (rawMftRecord RawMasterFileTableRecord) IsThisADirectory() (result bool, err error)
Quickly checks the bytes of an MFT record to determine if it is a directory or not.
func (RawMasterFileTableRecord) IsThisAnMftRecord ¶
func (rawMftRecord RawMasterFileTableRecord) IsThisAnMftRecord() (result bool, err error)
Quick check to see if the raw mft record receiver is a valid mft record.
func (RawMasterFileTableRecord) Parse ¶
func (rawMftRecord RawMasterFileTableRecord) Parse(bytesPerCluster int64) (mftRecord MasterFileTableRecord, err error)
Parses the raw MFT record receiver and returns a parsed mft record.
type RawNonResidentDataAttribute ¶
type RawNonResidentDataAttribute []byte
Alias for a raw nonresident data attribute. Used as a receiver to the parse() method.
func (RawNonResidentDataAttribute) Parse ¶
func (rawNonResidentDataAttribute RawNonResidentDataAttribute) Parse(bytesPerCluster int64) (nonResidentDataAttributes NonResidentDataAttribute, err error)
Parses the raw non resident data attribute receiver and returns a non resident data attribute. The bytes per cluster argument is used to calculate data run information.
type RawRecordHeader ¶
type RawRecordHeader []byte
[]byte alias for raw record header. Used with the Parse() method.
func (RawRecordHeader) GetRawRecordHeaderFlags ¶
func (rawRecordHeader RawRecordHeader) GetRawRecordHeaderFlags() (rawRecordHeaderFlag RawRecordHeaderFlag, err error)
Parses the raw filename attribute receiver and returns the raw record header flags.
func (RawRecordHeader) Parse ¶
func (rawRecordHeader RawRecordHeader) Parse() (recordHeader RecordHeader, err error)
Parses the raw record header receiver and returns a record header.
type RawRecordHeaderFlag ¶
type RawRecordHeaderFlag byte
byte alias for raw record header flag. Used with the Parse() method.
func (RawRecordHeaderFlag) Parse ¶
func (rawRecordHeaderFlag RawRecordHeaderFlag) Parse() (recordHeaderFlags RecordHeaderFlags)
Parses the raw record header flag receiver and returns record header flags.
type RawResidencyFlag ¶
type RawResidencyFlag byte
byte alias for raw residency flag. Used with the Parse() method.
func (RawResidencyFlag) Parse ¶
func (byteToCheck RawResidencyFlag) Parse() (flagResidency bool)
Parses the raw residency flag receiver and returns a flag residency value.
type RawResidentDataAttribute ¶
type RawResidentDataAttribute []byte
Alias for a raw resident data attribute. Used as a receiver to the parse() method. We don't really do anything this this currently.
func (RawResidentDataAttribute) Parse ¶
func (rawResidentDataAttribute RawResidentDataAttribute) Parse() (residentDataAttribute ResidentDataAttribute, err error)
Parses the raw resident data attribute receiver and returns the resident data attribute bytes.
type RawStandardInformationAttribute ¶
type RawStandardInformationAttribute []byte
[]byte alias for raw standard information attribute. Used with the Parse() method.
func (RawStandardInformationAttribute) Parse ¶
func (rawStandardInformationAttribute RawStandardInformationAttribute) Parse() (standardInformationAttribute StandardInformationAttribute, err error)
Parses the raw standard information attribute receiver and returns a parsed standard information attribute.
type RecordHeader ¶
type RecordHeader struct { AttributesOffset uint16 RecordNumber uint32 Flags RecordHeaderFlags }
Contains parsed record header values.
type RecordHeaderFlags ¶
Contains parsed record header flag values.
type ResultWriter ¶
type ResultWriter interface {
ResultWriter(streamer io.Writer, outputChannel *chan UsefulMftFields, waitGroup *sync.WaitGroup)
}
Interface for result writers to allow for output format extensibility.
type StandardInformationAttribute ¶
type StandardInformationAttribute struct { SiCreated time.Time SiModified time.Time SiAccessed time.Time SiChanged time.Time FlagResident bool }
Contains information from a parsed standard information attribute.
type UnresolvedDirectoryTree ¶
type UnresolvedDirectoryTree map[uint64]directory
Contains a slice of directories that need to be joined to create a directory tree.
func BuildUnresolvedDirectoryTree ¶
func BuildUnresolvedDirectoryTree(reader io.Reader) (unresolvedDirectoryTree UnresolvedDirectoryTree, err error)
Takes an MFT and does a first pass to find all the directories listed in it. These will form an unresolved directory tree that need to be stitched together.
func (UnresolvedDirectoryTree) Resolve ¶ added in v0.2.0
func (unresolvedDirectoryTree UnresolvedDirectoryTree) Resolve() (directoryTree DirectoryTree)
Combines a running list of directories from a channel in order to create the systems directory trees.
type UsefulMftFields ¶
type UsefulMftFields struct { RecordNumber uint32 `json:"RecordNumber,number"` FilePath string `json:"FilePath,string"` FullPath string `json:"FullPath,string"` FileName string `json:"FileName,string"` SystemFlag bool `json:"SystemFlag,bool"` HiddenFlag bool `json:"HiddenFlag,bool"` ReadOnlyFlag bool `json:"ReadOnlyFlag,bool"` DirectoryFlag bool `json:"DirectoryFlag,bool"` DeletedFlag bool `json:"DeletedFlag,bool"` FnCreated time.Time `json:"FnCreated"` FnModified time.Time `json:"FnModified"` FnAccessed time.Time `json:"FnAccessed"` FnChanged time.Time `json:"FnChanged"` SiCreated time.Time `json:"SiCreated"` SiModified time.Time `json:"SiModified"` SiAccessed time.Time `json:"SiAccessed"` SiChanged time.Time `json:"SiChanged"` PhysicalFileSize uint64 `json:"PhysicalFileSize,number"` }
Contains a downselected list of fields that are actually valuable to an analyst. This is the data that is written after parsing an MFT.
func GetUsefulMftFields ¶
func GetUsefulMftFields(mftRecord MasterFileTableRecord, directoryTree DirectoryTree) (useFulMftFields UsefulMftFields)
This method will pull out and return just the MFT record fields that are useful to an analyst.