Trees       Indices       Help   
Rekall Memory Forensics
Package rekall :: Package plugins :: Package filesystems :: Module ntfs :: Class MFT_ENTRY
[frames] | no frames]

Class MFT_ENTRY

source code

An MFT Entry.

Note that MFT entries behave as either files or directories depending on the attributes they have. This object wraps this behavior with convenience methods. Hence callers do not need to manipulate attributes directly.

Nested Classes
  __metaclass__
Give each object a unique ID. (Inherited from rekall.obj.BaseObject)
Instance Methods
 
__init__(self, **kwargs)
This must be instantiated with a dict of members.		 source code
 
get_attribute(self, type=None, id=None) source code
 
is_directory(self)
Does this MFT entry behave as a directory?		 source code
 
list_files(self)
List the files contained in this directory.		 source code
 
open_file(self)
Returns an address space which maps the content of the file's data.		 source code
 
GetData(self)
Returns the raw data of this object. (Inherited from rekall.obj.BaseObject)		 source code
 
SetMember(self, attr, value)
Write a value to a member. (Inherited from rekall.obj.Struct)		 source code
 
__comparator__(self, other, method) (Inherited from rekall.obj.BaseAddressComparisonMixIn) source code
 
__dir__(self)
Hide any members with _. (Inherited from rekall.obj.BaseObject)		 source code
 
__eq__(self, other) (Inherited from rekall.obj.BaseAddressComparisonMixIn) source code
 
__format__(self, formatspec)
default object formatter (Inherited from rekall.obj.BaseObject)		 source code
 
__ge__(self, other) (Inherited from rekall.obj.BaseAddressComparisonMixIn) source code
 
__getattr__(self, attr) (Inherited from rekall.obj.Struct) source code
 
__gt__(self, other) (Inherited from rekall.obj.BaseAddressComparisonMixIn) source code
 
__hash__(self)
hash(x) (Inherited from rekall.obj.Struct)		 source code
 
__int__(self)
Return our offset as an integer. (Inherited from rekall.obj.Struct)		 source code
 
__le__(self, other) (Inherited from rekall.obj.BaseAddressComparisonMixIn) source code
 
__long__(self) (Inherited from rekall.obj.Struct) source code
 
__lt__(self, other) (Inherited from rekall.obj.BaseAddressComparisonMixIn) source code
 
__ne__(self, other) (Inherited from rekall.obj.BaseAddressComparisonMixIn) source code
 
__nonzero__(self)
This method is called when we test the truth value of an Object. (Inherited from rekall.obj.BaseObject)		 source code
 
__repr__(self)
repr(x) (Inherited from rekall.obj.Struct)		 source code
 
__str__(self)
str(x) (Inherited from rekall.obj.BaseObject)		 source code
 
__unicode__(self) (Inherited from rekall.obj.Struct) source code
 
cast(self, type_name=None, vm=None, **kwargs) (Inherited from rekall.obj.BaseObject) source code
 
deref(self, vm=None)
An alias for dereference - less to type. (Inherited from rekall.obj.BaseObject)		 source code
 
dereference(self, vm=None) (Inherited from rekall.obj.BaseObject) source code
 
is_valid(self) (Inherited from rekall.obj.BaseObject) source code
 
m(self, attr, allow_callable_attributes=False)
Fetch the member named by attr. (Inherited from rekall.obj.Struct)		 source code
 
multi_m(self, *args, **opts)
Retrieve a set of fields in order. (Inherited from rekall.obj.Struct)		 source code
 
preamble_size(self)
The number of bytes before the object which are part of the object. (Inherited from rekall.obj.Struct)		 source code
 
proxied(self) (Inherited from rekall.obj.BaseObject) source code
 
reference(self)
Produces a pointer to this object. (Inherited from rekall.obj.BaseObject)		 source code
 
v(self, vm=None)
When a struct is evaluated we just return our offset. (Inherited from rekall.obj.Struct)		 source code
 
walk_list(self, list_member, include_current=True, deref_as=None)
Walk a single linked list in this struct. (Inherited from rekall.obj.Struct)		 source code
 
write(self, value)
Function for writing the object back to disk (Inherited from rekall.obj.BaseObject)		 source code

Inherited from object: __delattr__, __getattribute__, __new__, __reduce__, __reduce_ex__, __setattr__, __sizeof__, __subclasshook__

Class Methods
 
getproperties(cls)
Return all members that are intended to represent some data. (Inherited from rekall.obj.BaseObject)		 source code
Class Variables
  obj_name = <No name> (Inherited from rekall.obj.BaseObject)
  obj_parent = <No parent> (Inherited from rekall.obj.BaseObject)
  obj_producers = None
hash(x) (Inherited from rekall.obj.BaseObject)
Properties
  mft_entry
  attributes
  filename
  full_path
Returns the full path of this MFT to the root.
  data_size
Search all the $DATA attributes for the allocated size.
  indices
Returns (usually 1) representation(s) of self usable as dict keys. (Inherited from rekall.obj.Struct)
  obj_end (Inherited from rekall.obj.BaseObject)
  obj_size (Inherited from rekall.obj.Struct)
  parents
Returns all the parents of this object. (Inherited from rekall.obj.BaseObject)

Inherited from object: __class__

Method Details

__init__(self, **kwargs)
(Constructor)

source code  
This must be instantiated with a dict of members. The keys
are the offsets, the values are Curried Object classes that
will be instantiated when accessed.

Args:
   members: A dict of callables to use for retrieving each member. (Key
     is member name, value is a callable). Normally these are populated
     by the profile system

   struct_size: The size of this struct if known (Can be None).
Overrides: object.__init__
(inherited documentation)

list_files(self)

source code  
List the files contained in this directory.

Note that any file can contain other files (i.e. be a directory) if it
has an $I30 stream. Thats is directories may also contain data and
behave as files!

Returns:
  An iterator over all INDEX_RECORD_ENTRY.

open_file(self)

source code 

Returns an address space which maps the content of the file's data.

If this MFT does not contain any $DATA streams, returns a NoneObject().

The returned address space is formed by joining all $DATA streams' run lists in this MFT into a contiguous mapping.


Property Details

mft_entry

Get Method:
unreachable.mft_entry(self)

attributes

Get Method:
unreachable.attributes(self)

filename

Get Method:
unreachable.filename(self)

full_path

Returns the full path of this MFT to the root.

Get Method:
unreachable.full_path(self) - Returns the full path of this MFT to the root.

data_size

Search all the $DATA attributes for the allocated size.

Get Method:
unreachable.data_size(self) - Search all the $DATA attributes for the allocated size.

   Trees       Indices       Help   
Rekall Memory Forensics
Generated by Epydoc 3.0.1 on Mon Oct 9 03:28:14 2017 http://epydoc.sourceforge.net