Trees       Indices       Help   
Rekall Memory Forensics
Package rekall :: Package plugins :: Package filesystems :: Module ntfs :: Class NTFS_ATTRIBUTE
[frames] | no frames]

Class NTFS_ATTRIBUTE

source code

The NTFS attribute.

Nested Classes
  __metaclass__
Give each object a unique ID. (Inherited from rekall.obj.BaseObject)
Instance Methods
 
sign_extend(self, x, b)
Sign extend a value based on the number of bytes it should take.		 source code
 
DecodeAttribute(self) source code
 
RunList(self)
Decodes the runlist for this attribute.		 source code
 
GetData(self)
Returns the raw data of this object. (Inherited from rekall.obj.BaseObject)		 source code
 
SetMember(self, attr, value)
Write a value to a member. (Inherited from rekall.obj.Struct)		 source code
 
__comparator__(self, other, method) (Inherited from rekall.obj.BaseAddressComparisonMixIn) source code
 
__dir__(self)
Hide any members with _. (Inherited from rekall.obj.BaseObject)		 source code
 
__eq__(self, other) (Inherited from rekall.obj.BaseAddressComparisonMixIn) source code
 
__format__(self, formatspec)
default object formatter (Inherited from rekall.obj.BaseObject)		 source code
 
__ge__(self, other) (Inherited from rekall.obj.BaseAddressComparisonMixIn) source code
 
__getattr__(self, attr) (Inherited from rekall.obj.Struct) source code
 
__gt__(self, other) (Inherited from rekall.obj.BaseAddressComparisonMixIn) source code
 
__hash__(self)
hash(x) (Inherited from rekall.obj.Struct)		 source code
 
__init__(self, members=None, struct_size=0, callable_members=None, **kwargs)
This must be instantiated with a dict of members. (Inherited from rekall.obj.Struct)		 source code
 
__int__(self)
Return our offset as an integer. (Inherited from rekall.obj.Struct)		 source code
 
__le__(self, other) (Inherited from rekall.obj.BaseAddressComparisonMixIn) source code
 
__long__(self) (Inherited from rekall.obj.Struct) source code
 
__lt__(self, other) (Inherited from rekall.obj.BaseAddressComparisonMixIn) source code
 
__ne__(self, other) (Inherited from rekall.obj.BaseAddressComparisonMixIn) source code
 
__nonzero__(self)
This method is called when we test the truth value of an Object. (Inherited from rekall.obj.BaseObject)		 source code
 
__repr__(self)
repr(x) (Inherited from rekall.obj.Struct)		 source code
 
__str__(self)
str(x) (Inherited from rekall.obj.BaseObject)		 source code
 
__unicode__(self) (Inherited from rekall.obj.Struct) source code
 
cast(self, type_name=None, vm=None, **kwargs) (Inherited from rekall.obj.BaseObject) source code
 
deref(self, vm=None)
An alias for dereference - less to type. (Inherited from rekall.obj.BaseObject)		 source code
 
dereference(self, vm=None) (Inherited from rekall.obj.BaseObject) source code
 
is_valid(self) (Inherited from rekall.obj.BaseObject) source code
 
m(self, attr, allow_callable_attributes=False)
Fetch the member named by attr. (Inherited from rekall.obj.Struct)		 source code
 
multi_m(self, *args, **opts)
Retrieve a set of fields in order. (Inherited from rekall.obj.Struct)		 source code
 
preamble_size(self)
The number of bytes before the object which are part of the object. (Inherited from rekall.obj.Struct)		 source code
 
proxied(self) (Inherited from rekall.obj.BaseObject) source code
 
reference(self)
Produces a pointer to this object. (Inherited from rekall.obj.BaseObject)		 source code
 
v(self, vm=None)
When a struct is evaluated we just return our offset. (Inherited from rekall.obj.Struct)		 source code
 
walk_list(self, list_member, include_current=True, deref_as=None)
Walk a single linked list in this struct. (Inherited from rekall.obj.Struct)		 source code
 
write(self, value)
Function for writing the object back to disk (Inherited from rekall.obj.BaseObject)		 source code

Inherited from object: __delattr__, __getattribute__, __new__, __reduce__, __reduce_ex__, __setattr__, __sizeof__, __subclasshook__

Class Methods
 
getproperties(cls)
Return all members that are intended to represent some data. (Inherited from rekall.obj.BaseObject)		 source code
Class Variables
  MASK = {0: 0, 1: 255, 2: 65535, 3: 16777215, 4: 4294967295, 5:...
  SIGN_BIT = {0: 0, 1: 128, 2: 32768, 3: 8388608, 4: 2147483648,...
  obj_name = <No name> (Inherited from rekall.obj.BaseObject)
  obj_parent = <No parent> (Inherited from rekall.obj.BaseObject)
  obj_producers = None
hash(x) (Inherited from rekall.obj.BaseObject)
Properties
  data
Returns an address space representing the data of this attribute.
  indices
Returns (usually 1) representation(s) of self usable as dict keys.
  owner_MFT
The MFT entry containing this entry.
  size
The size of this attribute's data.
  obj_end (Inherited from rekall.obj.BaseObject)
  obj_size (Inherited from rekall.obj.Struct)
  parents
Returns all the parents of this object. (Inherited from rekall.obj.BaseObject)

Inherited from object: __class__

Class Variable Details

MASK

Value:
{0: 0,
 1: 255,
 2: 65535,
 3: 16777215,
 4: 4294967295,
 5: 1099511627775,
 6: 281474976710655,
 7: 72057594037927935,
...

SIGN_BIT

Value:
{0: 0,
 1: 128,
 2: 32768,
 3: 8388608,
 4: 2147483648,
 5: 549755813888,
 6: 140737488355328,
 7: 36028797018963968,
...

Property Details

data

Returns an address space representing the data of this attribute.

Get Method:
unreachable.data(self) - Returns an address space representing the data of this attribute.

indices

Returns (usually 1) representation(s) of self usable as dict keys.

Using full base objects for indexing can be slow, especially with Structs. This method returns a representation of the object that is a suitable key - either the value of a primitive type, or the memory address of the more complex ones.

Get Method:
unreachable.indices(self)

owner_MFT

The MFT entry containing this entry.

Get Method:
unreachable.owner_MFT(self) - The MFT entry containing this entry.

size

The size of this attribute's data.

Get Method:
unreachable.size(self) - The size of this attribute's data.

   Trees       Indices       Help   
Rekall Memory Forensics
Generated by Epydoc 3.0.1 on Mon Oct 9 03:28:14 2017 http://epydoc.sourceforge.net