File System related plugins

cc

View Source

A mixin for those plugins requiring a physical address space.

Args: physical_address_space: The physical address space to use. If not specified we use the following options:

1) session.physical_address_space,

2) Guess using the load_as() plugin,

3) Use session.kernel_address_space.base.

Plugin Arguments

partition_number

The partition to switch to. (type: IntParser)

verbosity

An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)

  • Default: 1

fls

View Source

A mixin for those plugins requiring a physical address space.

Args: physical_address_space: The physical address space to use. If not specified we use the following options:

1) session.physical_address_space,

2) Guess using the load_as() plugin,

3) Use session.kernel_address_space.base.

Plugin Arguments

dir_path

Directory path to print content of (type: String)

  • Default: /

verbosity

An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)

  • Default: 1

idump

View Source

Dump a part of an MFT file.

Plugin Arguments

id

Id of attribute to dump. (type: IntParser)

mft

MFT entry to dump. (type: IntParser)

  • Default: 5

type

Attribute type to dump. (type: IntParser)

  • Default: 128

verbosity

An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)

  • Default: 1

iexport

View Source

Extracts files from NTFS.

For each specified MFT entry, dump the file to the specified dump directory. The filename is taken as the longest filename of this MFT entry.

Plugin Arguments

dump_dir

Path suitable for dumping files. (type: String)

id

Id of attribute to dump. (type: IntParser)

mft

MFT entry to dump. (type: IntParser)

  • Default: 5

type

Attribute type to dump. (type: IntParser)

  • Default: 128

verbosity

An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)

  • Default: 1

ils

View Source

List files in an NTFS image.

Plugin Arguments

mfts

MFT entries to list. (type: ArrayIntParser)

  • Default: 5

verbosity

An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)

  • Default: 1

mmls

View Source

A mixin for those plugins requiring a physical address space.

Args: physical_address_space: The physical address space to use. If not specified we use the following options:

1) session.physical_address_space,

2) Guess using the load_as() plugin,

3) Use session.kernel_address_space.base.

Plugin Arguments

verbosity

An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)

  • Default: 1