Trees       Indices       Help   
Rekall Memory Forensics
Package rekall :: Package plugins :: Package filesystems :: Module ntfs
[frames] | no frames]

Module ntfs

source code

This file implements support for parsing NTFS filesystem in Rekall.

Simply select the ntfs profile with an ntfs image - you might need to also
specify the --file_offset (or -o) parameter.

$ rekal -v --profile ntfs -f ~/images/ntfs1-gen2.E01

[1] Default session 13:56:54> fls
 MFT   Seq           Created                  File Mod                   MFT Mod                   Access              Size    Filename
----- ----- ------------------------- ------------------------- ------------------------- ------------------------- ---------- --------
    4     4 2008-12-31 22:44:02+0000  2008-12-31 22:44:02+0000  2008-12-31 22:44:02+0000  2008-12-31 22:44:02+0000       36000 $AttrDef
    8     8 2008-12-31 22:44:02+0000  2008-12-31 22:44:02+0000  2008-12-31 22:44:02+0000  2008-12-31 22:44:02+0000           0 $BadClus
    6     6 2008-12-31 22:44:02+0000  2008-12-31 22:44:02+0000  2008-12-31 22:44:02+0000  2008-12-31 22:44:02+0000      126112 $Bitmap
    7     7 2008-12-31 22:44:02+0000  2008-12-31 22:44:02+0000  2008-12-31 22:44:02+0000  2008-12-31 22:44:02+0000        8192 $Boot
   11    11 2008-12-31 22:44:02+0000  2008-12-31 22:44:02+0000  2008-12-31 22:44:02+0000  2008-12-31 22:44:02+0000           0 $Extend
    2     2 2008-12-31 22:44:02+0000  2008-12-31 22:44:02+0000  2008-12-31 22:44:02+0000  2008-12-31 22:44:02+0000     4685824 $LogFile
    0     1 2008-12-31 22:44:02+0000  2008-12-31 22:44:02+0000  2008-12-31 22:44:02+0000  2008-12-31 22:44:02+0000       65536 $MFT
...
Classes
  Error
  ParseError
  NTFSParseError
  NTFSDetector
  INDEX_NODE_HEADER
  FixupAddressSpace
An address space to implement record fixup.
  RunListAddressSpace
An address space which is initialized from a runlist.
  MFT_ENTRY
An MFT Entry.
  NTFS_BOOT_SECTOR
A class to parse and access the NTFS boot sector.
  NTFS_ATTRIBUTE
The NTFS attribute.
  STANDARD_INDEX_HEADER
The index header must manage its own fixups.
  NTFSProfile
A profile for the NTFS.
  NTFS
A class to manage the NTFS filesystem parser.
  NTFSPlugins
Base class for ntfs plugins.
  FileBaseCommandMixin
Mixin for commands which take filenames- delegate to inode commands.
  MFTPluginsMixin
A mixin for plugins which work on mft entries.
  FStat
Print information by filename.
  IStat
Print information related to an MFT entry.
  FLS
  ILS
List files in an NTFS image.
  IDump
Dump a part of an MFT file.
  IExport
Extracts files from NTFS.
  TestIExport
  TestIStat
  TestFStat
  TestIDump
Variables
  FILE_FLAGS = {'ARCHIVE': 32, 'COMPRESSED': 2048, 'DEVICE': 64,...
  ntfs_vtypes = {'NTFS_BOOT_SECTOR': [512, {"oemname": [3, ["Str...
  __package__ = 'rekall.plugins.filesystems'
Variables Details

FILE_FLAGS

Value:
{'ARCHIVE': 32,
 'COMPRESSED': 2048,
 'DEVICE': 64,
 'ENCRYPTED': 16384,
 'HIDDEN': 2,
 'NORMAL': 128,
 'NOT_INDEXED': 8192,
 'OFFLINE': 4096,
...

ntfs_vtypes

Value:
{'ATTRIBUTE_LIST_ENTRY': [<function <lambda> at 0x7fafd09449b0>,
                          {'attribute': <function <lambda> at 0x7fafd0\
944aa0>,
                           'attribute_id': [24, ['byte']],
                           'length': [4, ['unsigned short int']],
                           'mftReference': [16,
                                            ['BitField',
                                             {'end_bit': 48, 'start_bi\
...

   Trees       Indices       Help   
Rekall Memory Forensics
Generated by Epydoc 3.0.1 on Mon Oct 9 03:27:46 2017 http://epydoc.sourceforge.net