rekall.plugins.filesystems.lznt1

Module lznt1

Decompression support for the LZNT1 compression algorithm.

Reference: http://msdn.microsoft.com/en-us/library/jj665697.aspx (2.5 LZNT1 Algorithm Details)

https://github.com/libyal/reviveit/ https://github.com/sleuthkit/sleuthkit/blob/develop/tsk/fs/ntfs.c

Functions

get_displacement(offset)
Calculate the displacement.

source code

decompress_data(cdata, logger=None)
Decompresses the data.

source code

Variables

DISPLACEMENT_TABLE = array('B', [0, 0, 0, 0, 0, 0, 0, 0, 0, 0,...

COMPRESSED_MASK = 32768

SIGNATURE_MASK = 12288

SIZE_MASK = 4095

TAG_MASKS = [1, 2, 4, 8, 16, 32, 64, 128]

__package__ = 'rekall.plugins.filesystems'

i = 7

x = 8191

Variables Details

DISPLACEMENT_TABLE

Value:

array('B', [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1
, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 3, 3, 
3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3
, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3,
 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 4, 4, 4, 4, 4, 4, 4, 4, 
4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4
, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4,
...