GoFor_MFT_Parser

package module
v0.2.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Oct 12, 2019 License: MPL-2.0 Imports: 12 Imported by: 0

README

CircleCI codecov GoDoc contributions welcome

GoFor-MFT-Parser

Work in progress...

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func ParseMFT 

func ParseMFT(inputFile *os.File, writer ResultWriter, streamer io.Writer, bytesPerCluster int64)

Takes an input file os.File and writes the results to the io.Writer. The format of the data sent to the io.Writer is dependent on what ResultWriter is used. The bytes per cluster input is typically 4096

func ParseMftRecords 

func ParseMftRecords(reader io.Reader, bytesPerCluster int64, directoryTree DirectoryTree, outputChannel *chan UsefulMftFields)

Parses a stream of mft record bytes and sends the results to an output channel. Records from this output channel are popped off by the ResultWriter used in the ParseMFT() method.

Types

type CsvResultWriter 

type CsvResultWriter struct{}

Receiver used with the ResultWriter method that would write the csv results to csv.

func (*CsvResultWriter) ResultWriter 

func (csvResultWriter *CsvResultWriter) ResultWriter(streamer io.Writer, outputChannel *chan UsefulMftFields, waitGroup *sync.WaitGroup)

This method that would write the csv results to csv.

type DataAttribute 

type DataAttribute struct {
	TotalSize                uint8
	FlagResident             bool
	ResidentDataAttribute    ResidentDataAttribute
	NonResidentDataAttribute NonResidentDataAttribute
}

Contains information about a parsed data attribute.

type DataRun 

type DataRun struct {
	AbsoluteOffset int64
	Length         int64
}

Contains a parsed data run which contains the absolute offset of where the data run resides in the volume and the length of the data run.

type DataRuns 

type DataRuns map[int]DataRun

Contains an ordered slice of parsed data runs

type DirectoryTree 

type DirectoryTree map[uint64]string

Contains a directory tree.

func BuildDirectoryTree 

func BuildDirectoryTree(reader io.Reader) (directoryTree DirectoryTree, err error)

Takes an MFT and creates a directory tree where the slice keys are the mft record number of the directory. This record number is importable because files will reference it as its parent mft record number.

type FileNameAttribute 

type FileNameAttribute struct {
	FnCreated  time.Time
	FnModified time.Time
	FnAccessed time.Time
	FnChanged  time.Time

	ParentDirRecordNumber uint64

	LogicalFileSize  uint64
	PhysicalFileSize uint64
	FileNameFlags    FileNameFlags

	FileNamespace string
	FileName      string
	// contains filtered or unexported fields
}

Contains information about a filename attribute.

type FileNameAttributes 

type FileNameAttributes []FileNameAttribute

Slice that contains a list of filename attributes.

type FileNameFlags 

type FileNameFlags struct {
	ReadOnly          bool
	Hidden            bool
	System            bool
	Archive           bool
	Device            bool
	Normal            bool
	Temporary         bool
	Sparse            bool
	Reparse           bool
	Compressed        bool
	Offline           bool
	NotContentIndexed bool
	Encrypted         bool
	Directory         bool
	IndexView         bool
}

Contains possible filename flags a file may have.

type MasterFileTableRecord 

type MasterFileTableRecord struct {
	RecordHeader                  RecordHeader
	StandardInformationAttributes StandardInformationAttribute
	FileNameAttributes            []FileNameAttribute
	DataAttribute                 DataAttribute
}

Contains information on a parsed MFT record

type NonResidentDataAttribute 

type NonResidentDataAttribute struct {
	DataRuns DataRuns
}

Alias for a parsed non-resident data attribute.

type RawAttributes 

type RawAttributes []rawAttribute

Slice of rawAttribute []byte aliases. Used primarily as a method receiver for the parse() method. See here for a handy list of attributes: https://flatcap.org/linux-ntfs/ntfs/attributes/index.html

func (RawAttributes) Parse 

func (rawAttributes RawAttributes) Parse(bytesPerCluster int64) (fileNameAttributes FileNameAttributes, standardInformationAttribute StandardInformationAttribute, dataAttribute DataAttribute, err error)

Parses a slice of raw attributes and returns its filename, standard information, and dat attributes. It takes an argument for bytes per cluster (typically 4096) which is used for computing data run information in a data attributes.

type RawDataAttribute 

type RawDataAttribute []byte

Alias for a raw data attribute. Used as a receiver to the parse() method.

func (RawDataAttribute) Parse 

func (rawDataAttribute RawDataAttribute) Parse(bytesPerCluster int64) (nonResidentDataAttribute NonResidentDataAttribute, residentDataAttribute ResidentDataAttribute, err error)

Parses the raw data attribute receiver and returns a non resident data attribute or a resident data attribute. The bytes per cluster argument is used to calculate data run information.

type RawDataRuns 

type RawDataRuns []byte

Alias for a raw data runs. Used as a receiver to the parse() method. See this for more details on data runs: https://flatcap.org/linux-ntfs/ntfs/concepts/data_runs.html

func (RawDataRuns) Parse 

func (rawDataRuns RawDataRuns) Parse(bytesPerCluster int64) (dataRuns DataRuns, err error)

Parses the raw data run receiver and returns data runs. The bytes per cluster argument is used to calculate data run information.

type RawFileNameAttribute 

type RawFileNameAttribute []byte

[]byte alias for raw filename attribute. Used with the Parse() method.

func (RawFileNameAttribute) Parse 

func (rawFileNameAttribute RawFileNameAttribute) Parse() (filenameAttribute FileNameAttribute, err error)

Parses the raw filename attribute receiver and returns a parsed filename attribute.

type RawFilenameFlags 

type RawFilenameFlags []byte

[]byte alias for raw filename flags. Used with the Parse() method.

func (RawFilenameFlags) Parse 

func (flagBytes RawFilenameFlags) Parse() (fileNameFlags FileNameFlags)

Parses the raw filename flags receiver and returns filename flags.

type RawFilenameNameSpaceFlag 

type RawFilenameNameSpaceFlag byte

byte alias for raw filename namespace flag. Used with the Parse() method.

func (RawFilenameNameSpaceFlag) Parse 

func (fileNamespaceFlag RawFilenameNameSpaceFlag) Parse() (fileNameSpace string)

Parses the raw file namespace flag receiver and returns a file namespace value.

type RawMasterFileTableRecord 

type RawMasterFileTableRecord []byte

[]byte alias for raw mft record. Used with the Parse() method.

func (RawMasterFileTableRecord) GetRawAttributes 

func (rawMftRecord RawMasterFileTableRecord) GetRawAttributes(recordHeader RecordHeader) (rawAttributes RawAttributes, err error)

Returns the attribute bytes from an unparsed mft record which is the method receiver. It takes recordHeader as an argument since the record header contains the offset for the start of the attributes.

func (RawMasterFileTableRecord) GetRawRecordHeader 

func (rawMftRecord RawMasterFileTableRecord) GetRawRecordHeader() (rawRecordHeader RawRecordHeader, err error)

Gets the raw record header from a raw mft record receiver.

func (RawMasterFileTableRecord) IsThisADirectory 

func (rawMftRecord RawMasterFileTableRecord) IsThisADirectory() (result bool, err error)

Quickly checks the bytes of an MFT record to determine if it is a directory or not.

func (RawMasterFileTableRecord) IsThisAnMftRecord 

func (rawMftRecord RawMasterFileTableRecord) IsThisAnMftRecord() (result bool, err error)

Quick check to see if the raw mft record receiver is a valid mft record.

func (RawMasterFileTableRecord) Parse 

func (rawMftRecord RawMasterFileTableRecord) Parse(bytesPerCluster int64) (mftRecord MasterFileTableRecord, err error)

Parses the raw MFT record receiver and returns a parsed mft record.

type RawNonResidentDataAttribute 

type RawNonResidentDataAttribute []byte

Alias for a raw nonresident data attribute. Used as a receiver to the parse() method.

func (RawNonResidentDataAttribute) Parse 

func (rawNonResidentDataAttribute RawNonResidentDataAttribute) Parse(bytesPerCluster int64) (nonResidentDataAttributes NonResidentDataAttribute, err error)

Parses the raw non resident data attribute receiver and returns a non resident data attribute. The bytes per cluster argument is used to calculate data run information.

type RawRecordHeader 

type RawRecordHeader []byte

[]byte alias for raw record header. Used with the Parse() method.

func (RawRecordHeader) GetRawRecordHeaderFlags 

func (rawRecordHeader RawRecordHeader) GetRawRecordHeaderFlags() (rawRecordHeaderFlag RawRecordHeaderFlag, err error)

Parses the raw filename attribute receiver and returns the raw record header flags.

func (RawRecordHeader) Parse 

func (rawRecordHeader RawRecordHeader) Parse() (recordHeader RecordHeader, err error)

Parses the raw record header receiver and returns a record header.

type RawRecordHeaderFlag 

type RawRecordHeaderFlag byte

byte alias for raw record header flag. Used with the Parse() method.

func (RawRecordHeaderFlag) Parse 

func (rawRecordHeaderFlag RawRecordHeaderFlag) Parse() (recordHeaderFlags RecordHeaderFlags)

Parses the raw record header flag receiver and returns record header flags.

type RawResidencyFlag 

type RawResidencyFlag byte

byte alias for raw residency flag. Used with the Parse() method.

func (RawResidencyFlag) Parse 

func (byteToCheck RawResidencyFlag) Parse() (flagResidency bool)

Parses the raw residency flag receiver and returns a flag residency value.

type RawResidentDataAttribute 

type RawResidentDataAttribute []byte

Alias for a raw resident data attribute. Used as a receiver to the parse() method. We don't really do anything this this currently.

func (RawResidentDataAttribute) Parse 

func (rawResidentDataAttribute RawResidentDataAttribute) Parse() (residentDataAttribute ResidentDataAttribute, err error)

Parses the raw resident data attribute receiver and returns the resident data attribute bytes.

type RawStandardInformationAttribute 

type RawStandardInformationAttribute []byte

[]byte alias for raw standard information attribute. Used with the Parse() method.

func (RawStandardInformationAttribute) Parse 

func (rawStandardInformationAttribute RawStandardInformationAttribute) Parse() (standardInformationAttribute StandardInformationAttribute, err error)

Parses the raw standard information attribute receiver and returns a parsed standard information attribute.

type RecordHeader 

type RecordHeader struct {
	AttributesOffset uint16
	RecordNumber     uint32
	Flags            RecordHeaderFlags
}

Contains parsed record header values.

type RecordHeaderFlags 

type RecordHeaderFlags struct {
	FlagDeleted   bool
	FlagDirectory bool
}

Contains parsed record header flag values.

type ResidentDataAttribute 

type ResidentDataAttribute []byte

Alias for a resident data attribute.

type ResultWriter 

type ResultWriter interface {
	ResultWriter(streamer io.Writer, outputChannel *chan UsefulMftFields, waitGroup *sync.WaitGroup)
}

Interface for result writers to allow for output format extensibility.

type StandardInformationAttribute 

type StandardInformationAttribute struct {
	SiCreated    time.Time
	SiModified   time.Time
	SiAccessed   time.Time
	SiChanged    time.Time
	FlagResident bool
}

Contains information from a parsed standard information attribute.

type UnresolvedDirectoryTree 

type UnresolvedDirectoryTree map[uint64]directory

Contains a slice of directories that need to be joined to create a directory tree.

func BuildUnresolvedDirectoryTree 

func BuildUnresolvedDirectoryTree(reader io.Reader) (unresolvedDirectoryTree UnresolvedDirectoryTree, err error)

Takes an MFT and does a first pass to find all the directories listed in it. These will form an unresolved directory tree that need to be stitched together.

func (UnresolvedDirectoryTree) Resolve added in v0.2.0 

func (unresolvedDirectoryTree UnresolvedDirectoryTree) Resolve() (directoryTree DirectoryTree)

Combines a running list of directories from a channel in order to create the systems directory trees.

type UsefulMftFields 

type UsefulMftFields struct {
	RecordNumber     uint32    `json:"RecordNumber,number"`
	FilePath         string    `json:"FilePath,string"`
	FullPath         string    `json:"FullPath,string"`
	FileName         string    `json:"FileName,string"`
	SystemFlag       bool      `json:"SystemFlag,bool"`
	HiddenFlag       bool      `json:"HiddenFlag,bool"`
	ReadOnlyFlag     bool      `json:"ReadOnlyFlag,bool"`
	DirectoryFlag    bool      `json:"DirectoryFlag,bool"`
	DeletedFlag      bool      `json:"DeletedFlag,bool"`
	FnCreated        time.Time `json:"FnCreated"`
	FnModified       time.Time `json:"FnModified"`
	FnAccessed       time.Time `json:"FnAccessed"`
	FnChanged        time.Time `json:"FnChanged"`
	SiCreated        time.Time `json:"SiCreated"`
	SiModified       time.Time `json:"SiModified"`
	SiAccessed       time.Time `json:"SiAccessed"`
	SiChanged        time.Time `json:"SiChanged"`
	PhysicalFileSize uint64    `json:"PhysicalFileSize,number"`
}

Contains a downselected list of fields that are actually valuable to an analyst. This is the data that is written after parsing an MFT.

func GetUsefulMftFields 

func GetUsefulMftFields(mftRecord MasterFileTableRecord, directoryTree DirectoryTree) (useFulMftFields UsefulMftFields)

This method will pull out and return just the MFT record fields that are useful to an analyst.

Source Files

View all Source files

Directories

Path Synopsis
cmd
gofor-mft-parser

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.