parser

package
v0.0.0-...-d7adef3 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 28, 2023 License: Apache-2.0 Imports: 20 Imported by: 0

Documentation

Overview

Implement some easy APIs.

Index

Constants

View Source 
const (
	MAX_RUNLIST_SIZE         = 1000000
	MAX_DECOMPRESSED_FILE    = 1000000
	MAX_IDX_SIZE             = 1000000
	MAX_MFT_ENTRY_SIZE       = 32 * 1024
	MAX_USN_RECORD_SCAN_SIZE = 1024
	MAX_ATTR_NAME_LENGTH     = 1024
	MAX_FILENAME_LENGTH      = 32 * 1024

	ATTR_TYPE_DATA                 = 128
	ATTR_TYPE_ATTRIBUTE_LIST       = 32
	ATTR_TYPE_STANDARD_INFORMATION = 16
	ATTR_TYPE_FILE_NAME            = 48
	ATTR_TYPE_INDEX_ROOT           = 144
	ATTR_TYPE_INDEX_ALLOCATION     = 160
)
View Source 
const (
	// An invalid filename to flag a wildcard search.
	WILDCARD_STREAM_NAME = ":*:"
	WILDCARD_STREAM_ID   = uint16(0xffff)
)
View Source 
const (
	IncludeShortNames      = true
	DoNotIncludeShortNames = false
)
View Source 
const (
	DefaultMaxLinks = 0
)

Variables

View Source 
var (
	EntryTooShortError = errors.New("EntryTooShortError")
	ShortReadError     = errors.New("ShortReadError")
)
View Source 
var (
	LZNT1_debug = false

	NTFS_DEBUG *bool
)
View Source 
var (
	COMPRESSED_MASK = uint16(1 << 15)
	SIGNATURE_MASK  = uint16(3 << 12)
	SIZE_MASK       = uint16(1<<12) - 1
)
View Source 
var (
	FILE_NOT_FOUND_ERROR = errors.New("File not found.")
)
View Source 
var (
	STATS = Stats{}
)

Functions

func BootstrapMFT 

func BootstrapMFT(ntfs *NTFSContext) (io.ReaderAt, error)

Find the root MFT_ENTRY object. Returns a reader over the $MFT file.

func CapInt32 

func CapInt32(v int32, max int32) int32

func CapInt64 

func CapInt64(v int64, max int64) int64

func CapUint16 

func CapUint16(v uint16, max uint16) uint16

func CapUint32 

func CapUint32(v uint32, max uint32) uint32

func CapUint64 

func CapUint64(v uint64, max uint64) uint64

func CopySlice 

func CopySlice(in []string) []string

func Debug 

func Debug(arg interface{})

func DebugPrint 

func DebugPrint(fmt_str string, v ...interface{})

func DebugRawRuns 

func DebugRawRuns(runs []*Run)

func DebugString 

func DebugString(arg interface{}, indent string) string

func DlvBreak 

func DlvBreak()

func FixUpDiskMFTEntry 

func FixUpDiskMFTEntry(mft *MFT_ENTRY) (io.ReaderAt, error)

The MFT entry needs to be fixed up. This method extracts the MFT_ENTRY from disk into a buffer and perfoms the fixups. We then return an MFT_ENTRY instantiated over this fixed up buffer.

func GetFullPath 

func GetFullPath(ntfs *NTFSContext, mft_entry *MFT_ENTRY) string

Traverse the mft entry and attempt to find its owner until the root. We return the full path of the MFT entry. 

func GetHardLinks(ntfs *NTFSContext, mft_id uint64, max int) [][]string

Walks the MFT entry to get all file names to this MFT entry.

func IsCompressed 

func IsCompressed(flags *EntryFlags) bool

Faster shortcuts to avoid extra allocations.

func IsCompressedOrSparse 

func IsCompressedOrSparse(flags *EntryFlags) bool

func IsFixed 

func IsFixed(item interface{}, offset int64) bool

func IsSparse 

func IsSparse(flags *EntryFlags) bool

func LZNT1Decompress 

func LZNT1Decompress(in []byte) ([]byte, error)

func LZNT1Printf 

func LZNT1Printf(fmt_str string, args ...interface{})

func ParseArray_byte 

func ParseArray_byte(profile *NTFSProfile, reader io.ReaderAt, offset int64, count int) []byte

func ParseInt32 

func ParseInt32(reader io.ReaderAt, offset int64) int32

func ParseInt64 

func ParseInt64(reader io.ReaderAt, offset int64) int64

func ParseInt8 

func ParseInt8(reader io.ReaderAt, offset int64) int8

func ParseMFTFile 

func ParseMFTFile(
	ctx context.Context,
	reader io.ReaderAt,
	size int64,
	cluster_size int64,
	record_size int64) chan *MFTHighlight

func ParseMFTFileWithOptions 

func ParseMFTFileWithOptions(
	ctx context.Context,
	reader io.ReaderAt,
	size int64,
	cluster_size int64,
	record_size int64,
	start_entry int64,
	options Options) chan *MFTHighlight

func ParseMFTId 

func ParseMFTId(mft_id string) (mft_idx int64, attr int64, id int64, stream_name string, err error)

func ParseSignature 

func ParseSignature(reader io.ReaderAt, offset int64, length int64) string

func ParseString 

func ParseString(reader io.ReaderAt, offset int64, length int64) string

func ParseTerminatedString 

func ParseTerminatedString(reader io.ReaderAt, offset int64) string

func ParseTerminatedUTF16String 

func ParseTerminatedUTF16String(reader io.ReaderAt, offset int64) string

func ParseUSN 

func ParseUSN(ctx context.Context, ntfs_ctx *NTFSContext, starting_offset int64) chan *USN_RECORD

Returns a channel which will send USN records on. We start parsing at the start of the file and continue until the end.

func ParseUTF16String 

func ParseUTF16String(reader io.ReaderAt, offset int64, length int64) string

func ParseUint16 

func ParseUint16(reader io.ReaderAt, offset int64) uint16

func ParseUint32 

func ParseUint32(reader io.ReaderAt, offset int64) uint32

func ParseUint64 

func ParseUint64(reader io.ReaderAt, offset int64) uint64

func ParseUint8 

func ParseUint8(reader io.ReaderAt, offset int64) byte

func PrintStack 

func PrintStack()

func Printf 

func Printf(fmt_str string, args ...interface{})

func RangeSize 

func RangeSize(rng RangeReaderAt) int64

func ReverseStringSlice 

func ReverseStringSlice(s []string)

In place reserving of the slice

func SetDebug 

func SetDebug()

Turns on debugging programmatically

func UTF16BytesToUTF8 

func UTF16BytesToUTF8(b []byte, o binary.ByteOrder) string

func VtoP 

func VtoP(reader interface{}, offset int64) int64

func WatchUSN 

func WatchUSN(ctx context.Context, ntfs_ctx *NTFSContext, period int) chan *USN_RECORD

Types

type ATTRIBUTE_LIST_ENTRY 

type ATTRIBUTE_LIST_ENTRY struct {
	Reader  io.ReaderAt
	Offset  int64
	Profile *NTFSProfile
}

func (*ATTRIBUTE_LIST_ENTRY) Attribute_id 

func (self *ATTRIBUTE_LIST_ENTRY) Attribute_id() uint16

func (*ATTRIBUTE_LIST_ENTRY) Attributes 

func (self *ATTRIBUTE_LIST_ENTRY) Attributes(
	ntfs *NTFSContext,
	mft_entry *MFT_ENTRY,
	attr *NTFS_ATTRIBUTE) []*NTFS_ATTRIBUTE

func (*ATTRIBUTE_LIST_ENTRY) DebugString 

func (self *ATTRIBUTE_LIST_ENTRY) DebugString() string

func (*ATTRIBUTE_LIST_ENTRY) GetAttribute 

func (self *ATTRIBUTE_LIST_ENTRY) GetAttribute(
	ntfs *NTFSContext) (*NTFS_ATTRIBUTE, error)

func (*ATTRIBUTE_LIST_ENTRY) Length 

func (self *ATTRIBUTE_LIST_ENTRY) Length() uint16

func (*ATTRIBUTE_LIST_ENTRY) MftReference 

func (self *ATTRIBUTE_LIST_ENTRY) MftReference() uint64

func (*ATTRIBUTE_LIST_ENTRY) Name_length 

func (self *ATTRIBUTE_LIST_ENTRY) Name_length() byte

func (*ATTRIBUTE_LIST_ENTRY) Offset_to_name 

func (self *ATTRIBUTE_LIST_ENTRY) Offset_to_name() byte

func (*ATTRIBUTE_LIST_ENTRY) Size 

func (self *ATTRIBUTE_LIST_ENTRY) Size() int

func (*ATTRIBUTE_LIST_ENTRY) Starting_vcn 

func (self *ATTRIBUTE_LIST_ENTRY) Starting_vcn() uint64

func (*ATTRIBUTE_LIST_ENTRY) Type 

func (self *ATTRIBUTE_LIST_ENTRY) Type() uint32

type Attribute 

type Attribute struct {
	Type   string
	TypeId uint64
	Id     uint64
	Inode  string
	Size   int64
	Name   string
}

type Debugger 

type Debugger interface {
	DebugString() string
}

type EntryFlags 

type EntryFlags uint64

func (EntryFlags) DebugString 

func (self EntryFlags) DebugString() string

type Enumeration 

type Enumeration struct {
	Value uint64
	Name  string
}

func (Enumeration) DebugString 

func (self Enumeration) DebugString() string

type EvictCallback 

type EvictCallback func(key int, value interface{})

EvictCallback is used to get a callback when a cache entry is evicted

type FILE_NAME 

type FILE_NAME struct {
	Reader  io.ReaderAt
	Offset  int64
	Profile *NTFSProfile
}

func (*FILE_NAME) Allocated_size 

func (self *FILE_NAME) Allocated_size() uint64

func (*FILE_NAME) Created 

func (self *FILE_NAME) Created() *WinFileTime

func (*FILE_NAME) DebugString 

func (self *FILE_NAME) DebugString() string

func (*FILE_NAME) File_accessed 

func (self *FILE_NAME) File_accessed() *WinFileTime

func (*FILE_NAME) File_modified 

func (self *FILE_NAME) File_modified() *WinFileTime

func (*FILE_NAME) FilenameSize 

func (self *FILE_NAME) FilenameSize() uint64

func (*FILE_NAME) Flags 

func (self *FILE_NAME) Flags() *Flags

func (*FILE_NAME) MftReference 

func (self *FILE_NAME) MftReference() uint64

func (*FILE_NAME) Mft_modified 

func (self *FILE_NAME) Mft_modified() *WinFileTime

func (*FILE_NAME) Name 

func (self *FILE_NAME) Name() string

func (*FILE_NAME) NameType 

func (self *FILE_NAME) NameType() *Enumeration

func (*FILE_NAME) Reparse_value 

func (self *FILE_NAME) Reparse_value() uint32

func (*FILE_NAME) Seq_num 

func (self *FILE_NAME) Seq_num() uint16

func (*FILE_NAME) Size 

func (self *FILE_NAME) Size() int

type FNSummary 

type FNSummary struct {
	Name                 string
	NameType             string
	ParentEntryNumber    uint64
	ParentSequenceNumber uint16
}

type FileInfo 

type FileInfo struct {
	MFTId          string    `json:"MFTId,omitempty"`
	SequenceNumber uint16    `json:"SequenceNumber,omitempty"`
	Mtime          time.Time `json:"Mtime,omitempty"`
	Atime          time.Time `json:"Atime,omitempty"`
	Ctime          time.Time `json:"Ctime,omitempty"`
	Btime          time.Time `json:"Btime,omitempty"` // Birth time.
	FNBtime        time.Time `json:"FNBtime,omitempty"`
	FNMtime        time.Time `json:"FNBtime,omitempty"`
	Name           string    `json:"Name,omitempty"`
	NameType       string    `json:"NameType,omitempty"`
	ExtraNames     []string  `json:"ExtraNames,omitempty"`
	IsDir          bool      `json:"IsDir,omitempty"`
	Size           int64
	AllocatedSize  int64

	// Is it in I30 slack?
	IsSlack     bool  `json:"IsSlack,omitempty"`
	SlackOffset int64 `json:"SlackOffset,omitempty"`
}

func ExtractI30List 

func ExtractI30List(ntfs *NTFSContext, mft_entry *MFT_ENTRY) []*FileInfo

func ExtractI30ListFromStream 

func ExtractI30ListFromStream(
	ntfs *NTFSContext,
	reader io.ReaderAt,
	stream_size int64) []*FileInfo

func ListDir 

func ListDir(ntfs *NTFSContext, root *MFT_ENTRY) []*FileInfo

func Stat 

func Stat(ntfs *NTFSContext, node_mft *MFT_ENTRY) []*FileInfo

type FilenameInfo 

type FilenameInfo struct {
	Times                TimeStamps
	Type                 string
	Name                 string
	ParentEntryNumber    uint64
	ParentSequenceNumber uint16
}

type FixedUpReader 

type FixedUpReader struct {
	*bytes.Reader
	// contains filtered or unexported fields
}

func (FixedUpReader) IsFixed 

func (self FixedUpReader) IsFixed(offset int64) bool

func (FixedUpReader) VtoP 

func (self FixedUpReader) VtoP(offset int64) int64

type Flags 

type Flags struct {
	Value uint64
	Names map[string]bool
}

func (Flags) DebugString 

func (self Flags) DebugString() string

func (Flags) IsSet 

func (self Flags) IsSet(flag string) bool

func (Flags) Values 

func (self Flags) Values() []string

type Flusher 

type Flusher interface {
	Flush()
}

Invalidate the disk cache

type GUID 

type GUID struct {
	Reader  io.ReaderAt
	Offset  int64
	Profile *NTFSProfile
}

func (GUID) AsString 

func (self GUID) AsString() string

func (*GUID) Data1 

func (self *GUID) Data1() uint32

func (*GUID) Data2 

func (self *GUID) Data2() uint16

func (*GUID) Data3 

func (self *GUID) Data3() uint16

func (*GUID) Data4 

func (self *GUID) Data4() []byte

func (*GUID) DebugString 

func (self *GUID) DebugString() string

func (*GUID) Size 

func (self *GUID) Size() int

type GenericRun 

type GenericRun struct {
	Offset int64
	End    int64
	Reader io.ReaderAt
}

type INDEX_NODE_HEADER 

type INDEX_NODE_HEADER struct {
	Reader  io.ReaderAt
	Offset  int64
	Profile *NTFSProfile
}

func (*INDEX_NODE_HEADER) DebugString 

func (self *INDEX_NODE_HEADER) DebugString() string

func (*INDEX_NODE_HEADER) GetRecords 

func (self *INDEX_NODE_HEADER) GetRecords(ntfs *NTFSContext) []*INDEX_RECORD_ENTRY

func (*INDEX_NODE_HEADER) Offset_to_end_index_entry 

func (self *INDEX_NODE_HEADER) Offset_to_end_index_entry() uint32

func (*INDEX_NODE_HEADER) Offset_to_index_entry 

func (self *INDEX_NODE_HEADER) Offset_to_index_entry() uint32

func (*INDEX_NODE_HEADER) ScanSlack 

func (self *INDEX_NODE_HEADER) ScanSlack(ntfs *NTFSContext) []*INDEX_RECORD_ENTRY

func (*INDEX_NODE_HEADER) Size 

func (self *INDEX_NODE_HEADER) Size() int

func (*INDEX_NODE_HEADER) SizeOfEntriesAlloc 

func (self *INDEX_NODE_HEADER) SizeOfEntriesAlloc() int32

type INDEX_RECORD_ENTRY 

type INDEX_RECORD_ENTRY struct {
	Reader  io.ReaderAt
	Offset  int64
	Profile *NTFSProfile
}

func (*INDEX_RECORD_ENTRY) DebugString 

func (self *INDEX_RECORD_ENTRY) DebugString() string

func (*INDEX_RECORD_ENTRY) File 

func (self *INDEX_RECORD_ENTRY) File() *FILE_NAME

func (*INDEX_RECORD_ENTRY) FilenameOffset 

func (self *INDEX_RECORD_ENTRY) FilenameOffset() uint16

func (*INDEX_RECORD_ENTRY) Flags 

func (self *INDEX_RECORD_ENTRY) Flags() uint32

func (*INDEX_RECORD_ENTRY) IsValid 

func (self *INDEX_RECORD_ENTRY) IsValid() bool

func (*INDEX_RECORD_ENTRY) MftReference 

func (self *INDEX_RECORD_ENTRY) MftReference() uint64

func (*INDEX_RECORD_ENTRY) Seq_num 

func (self *INDEX_RECORD_ENTRY) Seq_num() uint16

func (*INDEX_RECORD_ENTRY) Size 

func (self *INDEX_RECORD_ENTRY) Size() int

func (*INDEX_RECORD_ENTRY) SizeOfIndexEntry 

func (self *INDEX_RECORD_ENTRY) SizeOfIndexEntry() uint16

type INDEX_ROOT 

type INDEX_ROOT struct {
	Reader  io.ReaderAt
	Offset  int64
	Profile *NTFSProfile
}

func (*INDEX_ROOT) Collation_rule 

func (self *INDEX_ROOT) Collation_rule() uint32

func (*INDEX_ROOT) DebugString 

func (self *INDEX_ROOT) DebugString() string

func (*INDEX_ROOT) Idx_size_c 

func (self *INDEX_ROOT) Idx_size_c() uint32

func (*INDEX_ROOT) Idxalloc_size_b 

func (self *INDEX_ROOT) Idxalloc_size_b() uint32

func (*INDEX_ROOT) Node 

func (self *INDEX_ROOT) Node() *INDEX_NODE_HEADER

func (*INDEX_ROOT) Size 

func (self *INDEX_ROOT) Size() int

func (*INDEX_ROOT) Type 

func (self *INDEX_ROOT) Type() uint32

type InodeFormatter 

type InodeFormatter struct {
	// contains filtered or unexported fields
}

func (*InodeFormatter) Inode 

func (self *InodeFormatter) Inode(mft_id uint32,
	attr_type_id uint64, attr_id uint16, name string) string

Format an inode unambigously

type IsFixedReader 

type IsFixedReader interface {
	IsFixed(offset int64) bool
}

type LRU 

type LRU struct {
	// contains filtered or unexported fields
}

LRU implements a thread safe fixed size LRU cache

func NewLRU 

func NewLRU(size int, onEvict EvictCallback, name string) (*LRU, error)

NewLRU constructs an LRU of the given size

func (*LRU) Add 

func (self *LRU) Add(key int, value interface{}) (evicted bool)

Add adds a value to the cache. Returns true if an eviction occurred.

func (*LRU) Contains 

func (self *LRU) Contains(key int) (ok bool)

Contains checks if a key is in the cache, without updating the recent-ness or deleting it for being stale.

func (*LRU) DebugString 

func (self *LRU) DebugString() string

func (*LRU) Get 

func (self *LRU) Get(key int) (value interface{}, ok bool)

Get looks up a key's value from the cache.

func (*LRU) GetOldest 

func (self *LRU) GetOldest() (key int, value interface{}, ok bool)

GetOldest returns the oldest entry

func (*LRU) Keys 

func (self *LRU) Keys() []int

Keys returns a slice of the keys in the cache, from oldest to newest.

func (*LRU) Len 

func (self *LRU) Len() int

Len returns the number of items in the cache.

func (*LRU) Peek 

func (self *LRU) Peek(key int) (value interface{}, ok bool)

Peek returns the key value (or undefined if not found) without updating the "recently used"-ness of the key.

func (*LRU) Purge 

func (self *LRU) Purge()

Purge is used to completely clear the cache.

func (*LRU) Remove 

func (self *LRU) Remove(key int) (present bool)

Remove removes the provided key from the cache, returning if the key was contained.

func (*LRU) RemoveOldest 

func (self *LRU) RemoveOldest() (key int, value interface{}, ok bool)

RemoveOldest removes the oldest item from the cache.

func (*LRU) Touch 

func (self *LRU) Touch(key int)

type LimitedReader 

type LimitedReader struct {
	RangeReaderAt
	N int64
}

func (LimitedReader) ReadAt 

func (self LimitedReader) ReadAt(buff []byte, off int64) (int, error)

type MFTEntryCache 

type MFTEntryCache struct {
	// contains filtered or unexported fields
}

func NewMFTEntryCache 

func NewMFTEntryCache(ntfs *NTFSContext) *MFTEntryCache

func (*MFTEntryCache) GetSummary 

func (self *MFTEntryCache) GetSummary(id uint64) (*MFTEntrySummary, error)

type MFTEntrySummary 

type MFTEntrySummary struct {
	Sequence  uint16
	Filenames []FNSummary
}

type MFTHighlight 

type MFTHighlight struct {
	EntryNumber          int64
	Inode                string
	SequenceNumber       uint16
	InUse                bool
	ParentEntryNumber    uint64
	ParentSequenceNumber uint16
	FileNames            []string

	FileSize             int64
	ReferenceCount       int64
	IsDir                bool
	HasADS               bool
	SI_Lt_FN             bool
	USecZeros            bool
	Copied               bool
	SIFlags              string
	Created0x10          time.Time
	Created0x30          time.Time
	LastModified0x10     time.Time
	LastModified0x30     time.Time
	LastRecordChange0x10 time.Time
	LastRecordChange0x30 time.Time
	LastAccess0x10       time.Time
	LastAccess0x30       time.Time

	LogFileSeqNum uint64
	// contains filtered or unexported fields
}

func (*MFTHighlight) Components 

func (self *MFTHighlight) Components() []string

For simplicity and backwards compatibility returns the first hard link of the mft entry. In NTFS MFT entries can have multiple paths so you should consult the Links() to get more info.

func (*MFTHighlight) Copy 

func (self *MFTHighlight) Copy() *MFTHighlight

Copy the struct safely replacing the mutex

func (*MFTHighlight) FileName 

func (self *MFTHighlight) FileName() string

func (*MFTHighlight) FileNameTypes 

func (self *MFTHighlight) FileNameTypes() string

func (*MFTHighlight) FullPath 

func (self *MFTHighlight) FullPath() string
func (self *MFTHighlight) Links() []string

type MFT_ENTRY 

type MFT_ENTRY struct {
	Reader  io.ReaderAt
	Offset  int64
	Profile *NTFSProfile
}

MFT_ENTRY with a bit of caching.

func GetFixedUpMFTEntry 

func GetFixedUpMFTEntry(
	ntfs *NTFSContext,
	reader io.ReaderAt, offset int64) (*MFT_ENTRY, error)

func (*MFT_ENTRY) Attribute_offset 

func (self *MFT_ENTRY) Attribute_offset() uint16

func (*MFT_ENTRY) Base_record_reference 

func (self *MFT_ENTRY) Base_record_reference() uint64

func (*MFT_ENTRY) DebugString 

func (self *MFT_ENTRY) DebugString() string

func (*MFT_ENTRY) Dir 

func (self *MFT_ENTRY) Dir(ntfs *NTFSContext) []*INDEX_RECORD_ENTRY

func (*MFT_ENTRY) DirNodes 

func (self *MFT_ENTRY) DirNodes(ntfs *NTFSContext) []*INDEX_NODE_HEADER

func (*MFT_ENTRY) Display 

func (self *MFT_ENTRY) Display(ntfs *NTFSContext) string

func (*MFT_ENTRY) EnumerateAttributes 

func (self *MFT_ENTRY) EnumerateAttributes(ntfs *NTFSContext) []*NTFS_ATTRIBUTE

func (*MFT_ENTRY) FileName 

func (self *MFT_ENTRY) FileName(ntfs *NTFSContext) []*FILE_NAME

Extract the $FILE_NAME attribute from the MFT.

func (*MFT_ENTRY) Fixup_count 

func (self *MFT_ENTRY) Fixup_count() uint16

func (*MFT_ENTRY) Fixup_offset 

func (self *MFT_ENTRY) Fixup_offset() uint16

func (*MFT_ENTRY) Flags 

func (self *MFT_ENTRY) Flags() *Flags

func (*MFT_ENTRY) GetAttribute 

func (self *MFT_ENTRY) GetAttribute(
	ntfs *NTFSContext, attr_type,
	id int64, stream string) (*NTFS_ATTRIBUTE, error)

Retrieve the content of the attribute stream specified by type and id. If id is 0 return the first attribute of this type.

func (*MFT_ENTRY) GetDirectAttribute 

func (self *MFT_ENTRY) GetDirectAttribute(
	ntfs *NTFSContext, attr_type uint64, attr_id uint16) (*NTFS_ATTRIBUTE, error)

Search the MFT entry for a contained attribute - does not expand ATTRIBUTE_LISTs. This version is suitable to be called from within an ATTRIBUTE_LIST expansion.

func (*MFT_ENTRY) IsDir 

func (self *MFT_ENTRY) IsDir(ntfs *NTFSContext) bool
func (self *MFT_ENTRY) Link_count() uint16

func (*MFT_ENTRY) Logfile_sequence_number 

func (self *MFT_ENTRY) Logfile_sequence_number() uint64

func (*MFT_ENTRY) Magic 

func (self *MFT_ENTRY) Magic() *Signature

func (*MFT_ENTRY) Mft_entry_allocated 

func (self *MFT_ENTRY) Mft_entry_allocated() uint16

func (*MFT_ENTRY) Mft_entry_size 

func (self *MFT_ENTRY) Mft_entry_size() uint16

func (*MFT_ENTRY) Next_attribute_id 

func (self *MFT_ENTRY) Next_attribute_id() uint16

func (*MFT_ENTRY) Open 

func (self *MFT_ENTRY) Open(ntfs *NTFSContext, filename string) (*MFT_ENTRY, error)

Open the MFT entry specified by a path name. Walks all directory indexes in the path to find the right MFT entry.

func (*MFT_ENTRY) Record_number 

func (self *MFT_ENTRY) Record_number() uint32

func (*MFT_ENTRY) Sequence_value 

func (self *MFT_ENTRY) Sequence_value() uint16

func (*MFT_ENTRY) Size 

func (self *MFT_ENTRY) Size() int

func (*MFT_ENTRY) StandardInformation 

func (self *MFT_ENTRY) StandardInformation(ntfs *NTFSContext) (
	*STANDARD_INFORMATION, error)

Extract the $STANDARD_INFORMATION attribute from the MFT.

type MapReader 

type MapReader struct {
	// Very simple for now but faster for small number of runs.
	Runs []*GenericRun
}

Stitch together several different readers mapped at different offsets. In NTFS, a file's data consists of multiple $DATA streams, each having the same id. These different streams are mapped at different runlist_vcn_start to runlist_vcn_end (VCN = Virtual Cluster Number: the cluster number within the file's data). This reader combines these different readers into a single continuous form.

func (*MapReader) ReadAt 

func (self *MapReader) ReadAt(buf []byte, offset int64) (int, error)

type MappedReader 

type MappedReader struct {
	FileOffset       int64 // Address in the file this range begins
	TargetOffset     int64 // Address in the target reader the range is mapped to.
	Length           int64 // Length of mapping.
	ClusterSize      int64
	CompressedLength int64 // For compressed readers, we need to decompress on read.
	IsSparse         bool
	Reader           io.ReaderAt
}

A reader mapping from file space to target space. A ReadAt in file space will be mapped to a ReadAt in target space.

func (*MappedReader) DebugString 

func (self *MappedReader) DebugString() string

func (*MappedReader) Decompress 

func (self *MappedReader) Decompress(reader io.ReaderAt, cluster_size int64) ([]byte, error)

func (*MappedReader) IsFixed 

func (self *MappedReader) IsFixed(offset int64) bool

func (*MappedReader) Ranges 

func (self *MappedReader) Ranges() []Range

Trim the delegate ranges to our own mapping length.

func (*MappedReader) ReadAt 

func (self *MappedReader) ReadAt(buff []byte, off int64) (int, error)

func (*MappedReader) VtoP 

func (self *MappedReader) VtoP(offset int64) int64

type NTFSContext 

type NTFSContext struct {
	// The reader over the disk
	DiskReader io.ReaderAt

	// The reader over the MFT
	MFTReader io.ReaderAt

	Boot *NTFS_BOOT_SECTOR
	//RootMFT *MFT_ENTRY
	Profile *NTFSProfile

	ClusterSize int64

	RecordSize int64
	// contains filtered or unexported fields
}

func GetNTFSContext 

func GetNTFSContext(image io.ReaderAt, offset int64) (*NTFSContext, error)

func (*NTFSContext) Close 

func (self *NTFSContext) Close()

func (*NTFSContext) Copy 

func (self *NTFSContext) Copy() *NTFSContext

func (*NTFSContext) GetMFT 

func (self *NTFSContext) GetMFT(id int64) (*MFT_ENTRY, error)

func (*NTFSContext) GetMFTSummary 

func (self *NTFSContext) GetMFTSummary(id uint64) (*MFTEntrySummary, error)

func (*NTFSContext) GetRecordSize 

func (self *NTFSContext) GetRecordSize() int64

func (*NTFSContext) Purge 

func (self *NTFSContext) Purge()

func (*NTFSContext) SetOptions 

func (self *NTFSContext) SetOptions(options Options)

type NTFSFileInformation 

type NTFSFileInformation struct {
	FullPath       string
	MFTID          int64
	SequenceNumber uint16
	Size           int64
	Allocated      bool
	IsDir          bool
	SI_Times       *TimeStamps

	// If multiple filenames are given, we list them here.
	Filenames []*FilenameInfo

	Attributes []*Attribute

	Hardlinks []string
}

Describe a single MFT entry.

func ModelMFTEntry 

func ModelMFTEntry(ntfs *NTFSContext, mft_entry *MFT_ENTRY) (*NTFSFileInformation, error)

type NTFSProfile 

type NTFSProfile struct {
	Off_ATTRIBUTE_LIST_ENTRY_Type                       int64
	Off_ATTRIBUTE_LIST_ENTRY_Length                     int64
	Off_ATTRIBUTE_LIST_ENTRY_Name_length                int64
	Off_ATTRIBUTE_LIST_ENTRY_Offset_to_name             int64
	Off_ATTRIBUTE_LIST_ENTRY_Starting_vcn               int64
	Off_ATTRIBUTE_LIST_ENTRY_MftReference               int64
	Off_ATTRIBUTE_LIST_ENTRY_Attribute_id               int64
	Off_FILE_NAME_MftReference                          int64
	Off_FILE_NAME_Seq_num                               int64
	Off_FILE_NAME_Created                               int64
	Off_FILE_NAME_File_modified                         int64
	Off_FILE_NAME_Mft_modified                          int64
	Off_FILE_NAME_File_accessed                         int64
	Off_FILE_NAME_Allocated_size                        int64
	Off_FILE_NAME_FilenameSize                          int64
	Off_FILE_NAME_Flags                                 int64
	Off_FILE_NAME_Reparse_value                         int64
	Off_FILE_NAME__length_of_name                       int64
	Off_FILE_NAME_NameType                              int64
	Off_FILE_NAME_name                                  int64
	Off_GUID_Data1                                      int64
	Off_GUID_Data2                                      int64
	Off_GUID_Data3                                      int64
	Off_GUID_Data4                                      int64
	Off_INDEX_NODE_HEADER_Offset_to_index_entry         int64
	Off_INDEX_NODE_HEADER_Offset_to_end_index_entry     int64
	Off_INDEX_NODE_HEADER_SizeOfEntriesAlloc            int64
	Off_INDEX_RECORD_ENTRY_MftReference                 int64
	Off_INDEX_RECORD_ENTRY_Seq_num                      int64
	Off_INDEX_RECORD_ENTRY_SizeOfIndexEntry             int64
	Off_INDEX_RECORD_ENTRY_FilenameOffset               int64
	Off_INDEX_RECORD_ENTRY_Flags                        int64
	Off_INDEX_RECORD_ENTRY_File                         int64
	Off_INDEX_ROOT_Type                                 int64
	Off_INDEX_ROOT_Collation_rule                       int64
	Off_INDEX_ROOT_Idxalloc_size_b                      int64
	Off_INDEX_ROOT_Idx_size_c                           int64
	Off_INDEX_ROOT_Node                                 int64
	Off_MFT_ENTRY_Magic                                 int64
	Off_MFT_ENTRY_Fixup_offset                          int64
	Off_MFT_ENTRY_Fixup_count                           int64
	Off_MFT_ENTRY_Logfile_sequence_number               int64
	Off_MFT_ENTRY_Sequence_value                        int64
	Off_MFT_ENTRY_Link_count                            int64
	Off_MFT_ENTRY_Attribute_offset                      int64
	Off_MFT_ENTRY_Flags                                 int64
	Off_MFT_ENTRY_Mft_entry_size                        int64
	Off_MFT_ENTRY_Mft_entry_allocated                   int64
	Off_MFT_ENTRY_Base_record_reference                 int64
	Off_MFT_ENTRY_Next_attribute_id                     int64
	Off_MFT_ENTRY_Record_number                         int64
	Off_NTFS_ATTRIBUTE_Type                             int64
	Off_NTFS_ATTRIBUTE_Length                           int64
	Off_NTFS_ATTRIBUTE_Resident                         int64
	Off_NTFS_ATTRIBUTE_name_length                      int64
	Off_NTFS_ATTRIBUTE_name_offset                      int64
	Off_NTFS_ATTRIBUTE_Flags                            int64
	Off_NTFS_ATTRIBUTE_Attribute_id                     int64
	Off_NTFS_ATTRIBUTE_Content_size                     int64
	Off_NTFS_ATTRIBUTE_Content_offset                   int64
	Off_NTFS_ATTRIBUTE_Runlist_vcn_start                int64
	Off_NTFS_ATTRIBUTE_Runlist_vcn_end                  int64
	Off_NTFS_ATTRIBUTE_Runlist_offset                   int64
	Off_NTFS_ATTRIBUTE_Compression_unit_size            int64
	Off_NTFS_ATTRIBUTE_Allocated_size                   int64
	Off_NTFS_ATTRIBUTE_Actual_size                      int64
	Off_NTFS_ATTRIBUTE_Initialized_size                 int64
	Off_NTFS_BOOT_SECTOR_Oemname                        int64
	Off_NTFS_BOOT_SECTOR_Sector_size                    int64
	Off_NTFS_BOOT_SECTOR__cluster_size                  int64
	Off_NTFS_BOOT_SECTOR__volume_size                   int64
	Off_NTFS_BOOT_SECTOR__mft_cluster                   int64
	Off_NTFS_BOOT_SECTOR__mirror_mft_cluster            int64
	Off_NTFS_BOOT_SECTOR__mft_record_size               int64
	Off_NTFS_BOOT_SECTOR_Index_record_size              int64
	Off_NTFS_BOOT_SECTOR_Serial                         int64
	Off_NTFS_BOOT_SECTOR_Magic                          int64
	Off_NTFS_RESIDENT_ATTRIBUTE_Type                    int64
	Off_NTFS_RESIDENT_ATTRIBUTE_Length                  int64
	Off_NTFS_RESIDENT_ATTRIBUTE_Resident                int64
	Off_NTFS_RESIDENT_ATTRIBUTE_Name_length             int64
	Off_NTFS_RESIDENT_ATTRIBUTE_Name_offset             int64
	Off_NTFS_RESIDENT_ATTRIBUTE_Attribute_id            int64
	Off_NTFS_RESIDENT_ATTRIBUTE_content_size            int64
	Off_NTFS_RESIDENT_ATTRIBUTE_content_offset          int64
	Off_STANDARD_INDEX_HEADER_MagicNumber               int64
	Off_STANDARD_INDEX_HEADER_Fixup_offset              int64
	Off_STANDARD_INDEX_HEADER_Fixup_count               int64
	Off_STANDARD_INDEX_HEADER_LogFileSeqNum             int64
	Off_STANDARD_INDEX_HEADER_VcnOfINDX                 int64
	Off_STANDARD_INDEX_HEADER_Node                      int64
	Off_STANDARD_INFORMATION_Create_time                int64
	Off_STANDARD_INFORMATION_File_altered_time          int64
	Off_STANDARD_INFORMATION_Mft_altered_time           int64
	Off_STANDARD_INFORMATION_File_accessed_time         int64
	Off_STANDARD_INFORMATION_Flags                      int64
	Off_STANDARD_INFORMATION_Max_versions               int64
	Off_STANDARD_INFORMATION_Version                    int64
	Off_STANDARD_INFORMATION_Class_id                   int64
	Off_STANDARD_INFORMATION_Owner_id                   int64
	Off_STANDARD_INFORMATION_Sid                        int64
	Off_STANDARD_INFORMATION_Quota                      int64
	Off_STANDARD_INFORMATION_Usn                        int64
	Off_USN_RECORD_V2_RecordLength                      int64
	Off_USN_RECORD_V2_MajorVersion                      int64
	Off_USN_RECORD_V2_MinorVersion                      int64
	Off_USN_RECORD_V2_FileReferenceNumberSequence       int64
	Off_USN_RECORD_V2_FileReferenceNumberID             int64
	Off_USN_RECORD_V2_ParentFileReferenceNumberSequence int64
	Off_USN_RECORD_V2_ParentFileReferenceNumberID       int64
	Off_USN_RECORD_V2_Usn                               int64
	Off_USN_RECORD_V2_TimeStamp                         int64
	Off_USN_RECORD_V2_Reason                            int64
	Off_USN_RECORD_V2_SourceInfo                        int64
	Off_USN_RECORD_V2_SecurityId                        int64
	Off_USN_RECORD_V2_FileAttributes                    int64
	Off_USN_RECORD_V2_FileNameLength                    int64
	Off_USN_RECORD_V2_FileNameOffset                    int64
	Off_VSS_CATALOG_ENTRY_1_EntryType                   int64
	Off_VSS_CATALOG_ENTRY_2_EntryType                   int64
	Off_VSS_CATALOG_ENTRY_2_VolumeSize                  int64
	Off_VSS_CATALOG_ENTRY_2_StoreGUID                   int64
	Off_VSS_CATALOG_ENTRY_2_CreationTime                int64
	Off_VSS_CATALOG_ENTRY_3_EntryType                   int64
	Off_VSS_CATALOG_ENTRY_3_StoreBlockListOffset        int64
	Off_VSS_CATALOG_ENTRY_3_StoreGUID                   int64
	Off_VSS_CATALOG_ENTRY_3_StoreHeaderOffset           int64
	Off_VSS_CATALOG_ENTRY_3_StoreBlockRangeListOffset   int64
	Off_VSS_CATALOG_ENTRY_3_StoreBitmapOffset           int64
	Off_VSS_CATALOG_ENTRY_3_NTFSFileReference           int64
	Off_VSS_CATALOG_ENTRY_3_AllocatedSize               int64
	Off_VSS_CATALOG_ENTRY_3_StorePreviousBitmapOffset   int64
	Off_VSS_CATALOG_HEADER_Identifier                   int64
	Off_VSS_CATALOG_HEADER_Version                      int64
	Off_VSS_CATALOG_HEADER_RecordType                   int64
	Off_VSS_CATALOG_HEADER_RelativeOffset               int64
	Off_VSS_CATALOG_HEADER_CurrentOffset                int64
	Off_VSS_CATALOG_HEADER_NextOffset                   int64
	Off_VSS_STORE_BLOCK_HEADER_Identifier               int64
	Off_VSS_STORE_BLOCK_HEADER_Version                  int64
	Off_VSS_STORE_BLOCK_HEADER_RecordType               int64
	Off_VSS_STORE_BLOCK_HEADER_RelativeOffset           int64
	Off_VSS_STORE_BLOCK_HEADER_CurrentOffset            int64
	Off_VSS_STORE_BLOCK_HEADER_NextOffset               int64
	Off_VSS_STORE_BLOCK_HEADER_SizeOfStore              int64
	Off_VSS_STORE_INFORMATION_ShadowCopyGUID            int64
	Off_VSS_STORE_INFORMATION_ShadowCopySetGUID         int64
	Off_VSS_STORE_INFORMATION_SnapshotContext           int64
	Off_VSS_STORE_INFORMATION_AttributeFlags            int64
	Off_VSS_VOLUME_HEADER_Identifier                    int64
	Off_VSS_VOLUME_HEADER_Version                       int64
	Off_VSS_VOLUME_HEADER_RecordType                    int64
	Off_VSS_VOLUME_HEADER_CurrentOffset                 int64
	Off_VSS_VOLUME_HEADER_CatalogOffset                 int64
	Off_VSS_VOLUME_HEADER_MaxSize                       int64
	Off_VSS_VOLUME_HEADER_VolumeGUID                    int64
	Off_VSS_VOLUME_HEADER_ShadowVolumeGUID              int64
}

func NewNTFSProfile 

func NewNTFSProfile() *NTFSProfile

func (*NTFSProfile) ATTRIBUTE_LIST_ENTRY 

func (self *NTFSProfile) ATTRIBUTE_LIST_ENTRY(reader io.ReaderAt, offset int64) *ATTRIBUTE_LIST_ENTRY

func (*NTFSProfile) FILE_NAME 

func (self *NTFSProfile) FILE_NAME(reader io.ReaderAt, offset int64) *FILE_NAME

func (*NTFSProfile) GUID 

func (self *NTFSProfile) GUID(reader io.ReaderAt, offset int64) *GUID

func (*NTFSProfile) INDEX_NODE_HEADER 

func (self *NTFSProfile) INDEX_NODE_HEADER(reader io.ReaderAt, offset int64) *INDEX_NODE_HEADER

func (*NTFSProfile) INDEX_RECORD_ENTRY 

func (self *NTFSProfile) INDEX_RECORD_ENTRY(reader io.ReaderAt, offset int64) *INDEX_RECORD_ENTRY

func (*NTFSProfile) INDEX_ROOT 

func (self *NTFSProfile) INDEX_ROOT(reader io.ReaderAt, offset int64) *INDEX_ROOT

func (*NTFSProfile) MFT_ENTRY 

func (self *NTFSProfile) MFT_ENTRY(reader io.ReaderAt, offset int64) *MFT_ENTRY

func (*NTFSProfile) NTFS_ATTRIBUTE 

func (self *NTFSProfile) NTFS_ATTRIBUTE(reader io.ReaderAt, offset int64) *NTFS_ATTRIBUTE

func (*NTFSProfile) NTFS_BOOT_SECTOR 

func (self *NTFSProfile) NTFS_BOOT_SECTOR(reader io.ReaderAt, offset int64) *NTFS_BOOT_SECTOR

func (*NTFSProfile) NTFS_RESIDENT_ATTRIBUTE 

func (self *NTFSProfile) NTFS_RESIDENT_ATTRIBUTE(reader io.ReaderAt, offset int64) *NTFS_RESIDENT_ATTRIBUTE

func (*NTFSProfile) STANDARD_INDEX_HEADER 

func (self *NTFSProfile) STANDARD_INDEX_HEADER(reader io.ReaderAt, offset int64) *STANDARD_INDEX_HEADER

func (*NTFSProfile) STANDARD_INFORMATION 

func (self *NTFSProfile) STANDARD_INFORMATION(reader io.ReaderAt, offset int64) *STANDARD_INFORMATION

func (*NTFSProfile) USN_RECORD_V2 

func (self *NTFSProfile) USN_RECORD_V2(reader io.ReaderAt, offset int64) *USN_RECORD_V2

func (*NTFSProfile) VSS_CATALOG_ENTRY_1 

func (self *NTFSProfile) VSS_CATALOG_ENTRY_1(reader io.ReaderAt, offset int64) *VSS_CATALOG_ENTRY_1

func (*NTFSProfile) VSS_CATALOG_ENTRY_2 

func (self *NTFSProfile) VSS_CATALOG_ENTRY_2(reader io.ReaderAt, offset int64) *VSS_CATALOG_ENTRY_2

func (*NTFSProfile) VSS_CATALOG_ENTRY_3 

func (self *NTFSProfile) VSS_CATALOG_ENTRY_3(reader io.ReaderAt, offset int64) *VSS_CATALOG_ENTRY_3

func (*NTFSProfile) VSS_CATALOG_HEADER 

func (self *NTFSProfile) VSS_CATALOG_HEADER(reader io.ReaderAt, offset int64) *VSS_CATALOG_HEADER

func (*NTFSProfile) VSS_STORE_BLOCK_HEADER 

func (self *NTFSProfile) VSS_STORE_BLOCK_HEADER(reader io.ReaderAt, offset int64) *VSS_STORE_BLOCK_HEADER

func (*NTFSProfile) VSS_STORE_INFORMATION 

func (self *NTFSProfile) VSS_STORE_INFORMATION(reader io.ReaderAt, offset int64) *VSS_STORE_INFORMATION

func (*NTFSProfile) VSS_VOLUME_HEADER 

func (self *NTFSProfile) VSS_VOLUME_HEADER(reader io.ReaderAt, offset int64) *VSS_VOLUME_HEADER

func (*NTFSProfile) WinFileTime 

func (self *NTFSProfile) WinFileTime(reader io.ReaderAt, offset int64) *WinFileTime

type NTFS_ATTRIBUTE 

type NTFS_ATTRIBUTE struct {
	Reader  io.ReaderAt
	Offset  int64
	Profile *NTFSProfile
	// contains filtered or unexported fields
}

func GetAllVCNs 

func GetAllVCNs(ntfs *NTFSContext,
	mft_entry *MFT_ENTRY, attr_type uint64, required_attr_id uint16,
	required_data_attr_name string) []*NTFS_ATTRIBUTE

Get all VCNs having the (same type and ID for default $DATA stream) OR ($DATA with specific name)

func NewNTFS_ATTRIBUTE 

func NewNTFS_ATTRIBUTE(Reader io.ReaderAt,
	Offset int64, Profile *NTFSProfile) *NTFS_ATTRIBUTE

func (*NTFS_ATTRIBUTE) Actual_size 

func (self *NTFS_ATTRIBUTE) Actual_size() uint64

func (*NTFS_ATTRIBUTE) Allocated_size 

func (self *NTFS_ATTRIBUTE) Allocated_size() uint64

func (*NTFS_ATTRIBUTE) Attribute_id 

func (self *NTFS_ATTRIBUTE) Attribute_id() uint16

func (*NTFS_ATTRIBUTE) Compression_unit_size 

func (self *NTFS_ATTRIBUTE) Compression_unit_size() uint16

func (*NTFS_ATTRIBUTE) Content_offset 

func (self *NTFS_ATTRIBUTE) Content_offset() uint16

func (*NTFS_ATTRIBUTE) Content_size 

func (self *NTFS_ATTRIBUTE) Content_size() uint32

func (*NTFS_ATTRIBUTE) Data 

func (self *NTFS_ATTRIBUTE) Data(ntfs *NTFSContext) io.ReaderAt

Returns the data stream in this attribute. NOTE: A normal file may consist of multiple separate data streams (VCNs). To read a file you will need to call OpenStream() below.

func (*NTFS_ATTRIBUTE) DataSize 

func (self *NTFS_ATTRIBUTE) DataSize() int64

func (*NTFS_ATTRIBUTE) DebugString 

func (self *NTFS_ATTRIBUTE) DebugString() string

func (*NTFS_ATTRIBUTE) Flags 

func (self *NTFS_ATTRIBUTE) Flags() *EntryFlags

func (*NTFS_ATTRIBUTE) Initialized_size 

func (self *NTFS_ATTRIBUTE) Initialized_size() uint64

func (*NTFS_ATTRIBUTE) IsResident 

func (self *NTFS_ATTRIBUTE) IsResident() bool

func (*NTFS_ATTRIBUTE) Length 

func (self *NTFS_ATTRIBUTE) Length() uint32

func (*NTFS_ATTRIBUTE) Name 

func (self *NTFS_ATTRIBUTE) Name() string

func (*NTFS_ATTRIBUTE) PrintStats 

func (self *NTFS_ATTRIBUTE) PrintStats(ntfs *NTFSContext) string

func (*NTFS_ATTRIBUTE) Resident 

func (self *NTFS_ATTRIBUTE) Resident() *Enumeration

func (*NTFS_ATTRIBUTE) RunList 

func (self *NTFS_ATTRIBUTE) RunList() []*Run

func (*NTFS_ATTRIBUTE) Runlist_offset 

func (self *NTFS_ATTRIBUTE) Runlist_offset() uint16

func (*NTFS_ATTRIBUTE) Runlist_vcn_end 

func (self *NTFS_ATTRIBUTE) Runlist_vcn_end() uint64

func (*NTFS_ATTRIBUTE) Runlist_vcn_start 

func (self *NTFS_ATTRIBUTE) Runlist_vcn_start() uint64

func (*NTFS_ATTRIBUTE) Size 

func (self *NTFS_ATTRIBUTE) Size() int

func (*NTFS_ATTRIBUTE) Type 

func (self *NTFS_ATTRIBUTE) Type() *Enumeration

type NTFS_BOOT_SECTOR 

type NTFS_BOOT_SECTOR struct {
	Reader  io.ReaderAt
	Offset  int64
	Profile *NTFSProfile
}

func (*NTFS_BOOT_SECTOR) BlockCount 

func (self *NTFS_BOOT_SECTOR) BlockCount() int64

func (*NTFS_BOOT_SECTOR) ClusterSize 

func (self *NTFS_BOOT_SECTOR) ClusterSize() int64

func (*NTFS_BOOT_SECTOR) DebugString 

func (self *NTFS_BOOT_SECTOR) DebugString() string

func (*NTFS_BOOT_SECTOR) Index_record_size 

func (self *NTFS_BOOT_SECTOR) Index_record_size() byte

func (*NTFS_BOOT_SECTOR) IsValid 

func (self *NTFS_BOOT_SECTOR) IsValid() error

func (*NTFS_BOOT_SECTOR) Magic 

func (self *NTFS_BOOT_SECTOR) Magic() uint16

func (*NTFS_BOOT_SECTOR) Oemname 

func (self *NTFS_BOOT_SECTOR) Oemname() string

func (*NTFS_BOOT_SECTOR) RecordSize 

func (self *NTFS_BOOT_SECTOR) RecordSize() int64

func (*NTFS_BOOT_SECTOR) Sector_size 

func (self *NTFS_BOOT_SECTOR) Sector_size() uint16

func (*NTFS_BOOT_SECTOR) Serial 

func (self *NTFS_BOOT_SECTOR) Serial() string

func (*NTFS_BOOT_SECTOR) Size 

func (self *NTFS_BOOT_SECTOR) Size() int

type NTFS_RESIDENT_ATTRIBUTE 

type NTFS_RESIDENT_ATTRIBUTE struct {
	Reader  io.ReaderAt
	Offset  int64
	Profile *NTFSProfile
}

func (*NTFS_RESIDENT_ATTRIBUTE) Attribute_id 

func (self *NTFS_RESIDENT_ATTRIBUTE) Attribute_id() uint16

func (*NTFS_RESIDENT_ATTRIBUTE) DebugString 

func (self *NTFS_RESIDENT_ATTRIBUTE) DebugString() string

func (*NTFS_RESIDENT_ATTRIBUTE) Length 

func (self *NTFS_RESIDENT_ATTRIBUTE) Length() uint32

func (*NTFS_RESIDENT_ATTRIBUTE) Name_length 

func (self *NTFS_RESIDENT_ATTRIBUTE) Name_length() byte

func (*NTFS_RESIDENT_ATTRIBUTE) Name_offset 

func (self *NTFS_RESIDENT_ATTRIBUTE) Name_offset() uint16

func (*NTFS_RESIDENT_ATTRIBUTE) Resident 

func (self *NTFS_RESIDENT_ATTRIBUTE) Resident() *Enumeration

func (*NTFS_RESIDENT_ATTRIBUTE) Size 

func (self *NTFS_RESIDENT_ATTRIBUTE) Size() int

func (*NTFS_RESIDENT_ATTRIBUTE) Type 

func (self *NTFS_RESIDENT_ATTRIBUTE) Type() *Enumeration

type NullReader 

type NullReader struct{}

func (*NullReader) ReadAt 

func (self *NullReader) ReadAt(buf []byte, offset int64) (int, error)

type OffsetReader 

type OffsetReader struct {
	Offset int64
	Reader io.ReaderAt
}

func (*OffsetReader) ReadAt 

func (self *OffsetReader) ReadAt(buf []byte, offset int64) (int, error)

type Options 

type Options struct {
	// Include short names in Link analysis
	IncludeShortNames bool

	// Max number of links to retrieve
	MaxLinks int

	// Maximum directory depth to anlayze for paths.
	MaxDirectoryDepth int

	// These path components will be added in front of each link
	// generated.
	PrefixComponents []string
}

func GetDefaultOptions 

func GetDefaultOptions() Options

type PagedReader 

type PagedReader struct {
	Hits int64
	Miss int64
	// contains filtered or unexported fields
}

func NewPagedReader 

func NewPagedReader(reader io.ReaderAt, pagesize int64, cache_size int) (*PagedReader, error)

func (*PagedReader) Flush 

func (self *PagedReader) Flush()

func (*PagedReader) IsFixed 

func (self *PagedReader) IsFixed(offset int64) bool

func (*PagedReader) ReadAt 

func (self *PagedReader) ReadAt(buf []byte, offset int64) (int, error)

func (*PagedReader) VtoP 

func (self *PagedReader) VtoP(offset int64) int64

type Range 

type Range struct {
	// In bytes
	Offset, Length int64
	IsSparse       bool
}

type RangeReader 

type RangeReader struct {
	// contains filtered or unexported fields
}

An io.ReaderAt which works off a sequence of runs. Each run is a mapping between filespace to another reader at a specific offset in the file address space.

func NewCompressedRangeReader 

func NewCompressedRangeReader(
	runs []*Run,
	cluster_size int64,
	disk_reader io.ReaderAt,
	compression_unit_size int64) *RangeReader

func NewUncompressedRangeReader 

func NewUncompressedRangeReader(
	runs []*Run,
	cluster_size int64,
	disk_reader io.ReaderAt,
	is_sparse bool) *RangeReader

func (*RangeReader) DebugString 

func (self *RangeReader) DebugString() string

func (*RangeReader) IsFixed 

func (self *RangeReader) IsFixed(offset int64) bool

func (*RangeReader) Ranges 

func (self *RangeReader) Ranges() []Range

Combine the ranges from all the Mapped readers.

func (*RangeReader) ReadAt 

func (self *RangeReader) ReadAt(buf []byte, file_offset int64) (
	int, error)

func (*RangeReader) VtoP 

func (self *RangeReader) VtoP(offset int64) int64

type RangeReaderAt 

type RangeReaderAt interface {
	io.ReaderAt

	Ranges() []Range
}

func GetDataForPath 

func GetDataForPath(ntfs *NTFSContext, path string) (RangeReaderAt, error)

func OpenStream 

func OpenStream(ntfs *NTFSContext,
	mft_entry *MFT_ENTRY, attr_type uint64, attr_id uint16, attr_name string) (RangeReaderAt, error)

Open the full stream. Note - In NTFS a stream can be composed of multiple VCN attributes: All VCN substreams have the same attribute type and id but different start and end VCNs. This function finds all related attributes and wraps them in a RangeReader to appear as a single stream. This function is what you need when you want to read the full file.

type Recorder 

type Recorder struct {
	// contains filtered or unexported fields
}

func NewRecorder 

func NewRecorder(path string, reader io.ReaderAt) *Recorder

func (*Recorder) ReadAt 

func (self *Recorder) ReadAt(buf []byte, offset int64) (int, error)

type Run 

type Run struct {
	Offset            int64
	RelativeUrnOffset int64
	Length            int64
}

type RunInfo 

type RunInfo struct {
	Type             string
	Level            int
	FromOffset       int64
	ToOffset         int64
	Length           int64
	CompressedLength int64
	IsSparse         bool
	ClusterSize      int64
	Reader           string
}

func DebugRuns 

func DebugRuns(stream RangeReaderAt, level int) []*RunInfo

func (RunInfo) String 

func (self RunInfo) String() string

type STANDARD_INDEX_HEADER 

type STANDARD_INDEX_HEADER struct {
	Reader  io.ReaderAt
	Offset  int64
	Profile *NTFSProfile
}

func DecodeSTANDARD_INDEX_HEADER 

func DecodeSTANDARD_INDEX_HEADER(
	ntfs *NTFSContext, reader io.ReaderAt, offset int64, length int64) (
	*STANDARD_INDEX_HEADER, error)

The STANDARD_INDEX_HEADER has a second layer of fixups.

func (*STANDARD_INDEX_HEADER) DebugString 

func (self *STANDARD_INDEX_HEADER) DebugString() string

func (*STANDARD_INDEX_HEADER) Fixup_count 

func (self *STANDARD_INDEX_HEADER) Fixup_count() uint16

func (*STANDARD_INDEX_HEADER) Fixup_offset 

func (self *STANDARD_INDEX_HEADER) Fixup_offset() uint16

func (*STANDARD_INDEX_HEADER) LogFileSeqNum 

func (self *STANDARD_INDEX_HEADER) LogFileSeqNum() uint64

func (*STANDARD_INDEX_HEADER) MagicNumber 

func (self *STANDARD_INDEX_HEADER) MagicNumber() *Signature

func (*STANDARD_INDEX_HEADER) Node 

func (self *STANDARD_INDEX_HEADER) Node() *INDEX_NODE_HEADER

func (*STANDARD_INDEX_HEADER) Size 

func (self *STANDARD_INDEX_HEADER) Size() int

func (*STANDARD_INDEX_HEADER) VcnOfINDX 

func (self *STANDARD_INDEX_HEADER) VcnOfINDX() uint64

type STANDARD_INFORMATION 

type STANDARD_INFORMATION struct {
	Reader  io.ReaderAt
	Offset  int64
	Profile *NTFSProfile
}

func (*STANDARD_INFORMATION) Class_id 

func (self *STANDARD_INFORMATION) Class_id() uint32

func (*STANDARD_INFORMATION) Create_time 

func (self *STANDARD_INFORMATION) Create_time() *WinFileTime

func (*STANDARD_INFORMATION) DebugString 

func (self *STANDARD_INFORMATION) DebugString() string

func (*STANDARD_INFORMATION) File_accessed_time 

func (self *STANDARD_INFORMATION) File_accessed_time() *WinFileTime

func (*STANDARD_INFORMATION) File_altered_time 

func (self *STANDARD_INFORMATION) File_altered_time() *WinFileTime

func (*STANDARD_INFORMATION) Flags 

func (self *STANDARD_INFORMATION) Flags() *Flags

func (*STANDARD_INFORMATION) Max_versions 

func (self *STANDARD_INFORMATION) Max_versions() uint32

func (*STANDARD_INFORMATION) Mft_altered_time 

func (self *STANDARD_INFORMATION) Mft_altered_time() *WinFileTime

func (*STANDARD_INFORMATION) Owner_id 

func (self *STANDARD_INFORMATION) Owner_id() uint32

func (*STANDARD_INFORMATION) Quota 

func (self *STANDARD_INFORMATION) Quota() uint64

func (*STANDARD_INFORMATION) Sid 

func (self *STANDARD_INFORMATION) Sid() uint32

func (*STANDARD_INFORMATION) Size 

func (self *STANDARD_INFORMATION) Size() int

func (*STANDARD_INFORMATION) Usn 

func (self *STANDARD_INFORMATION) Usn() uint32

func (*STANDARD_INFORMATION) Version 

func (self *STANDARD_INFORMATION) Version() uint32

type Signature 

type Signature struct {
	// contains filtered or unexported fields
}

func (Signature) IsValid 

func (self Signature) IsValid() bool

type Stats 

type Stats struct {
	MFT_ENTRY            int
	NTFS_ATTRIBUTE       int
	ATTRIBUTE_LIST_ENTRY int
	STANDARD_INFORMATION int
	FILE_NAME            int
	FixUpDiskMFTEntry    int
	NTFSContext          int
	MFT_ENTRY_attributes int
	MFT_ENTRY_filenames  int
	// contains filtered or unexported fields
}

func (*Stats) DebugString 

func (self *Stats) DebugString() string

func (*Stats) Inc_ATTRIBUTE_LIST_ENTRY 

func (self *Stats) Inc_ATTRIBUTE_LIST_ENTRY()

func (*Stats) Inc_FILE_NAME 

func (self *Stats) Inc_FILE_NAME()

func (*Stats) Inc_FixUpDiskMFTEntry 

func (self *Stats) Inc_FixUpDiskMFTEntry()

func (*Stats) Inc_MFT_ENTRY 

func (self *Stats) Inc_MFT_ENTRY()

func (*Stats) Inc_MFT_ENTRY_attributes 

func (self *Stats) Inc_MFT_ENTRY_attributes()

func (*Stats) Inc_MFT_ENTRY_filenames 

func (self *Stats) Inc_MFT_ENTRY_filenames()

func (*Stats) Inc_NTFSContext 

func (self *Stats) Inc_NTFSContext()

func (*Stats) Inc_NTFS_ATTRIBUTE 

func (self *Stats) Inc_NTFS_ATTRIBUTE()

func (*Stats) Inc_STANDARD_INFORMATION 

func (self *Stats) Inc_STANDARD_INFORMATION()

type TimeStamps 

type TimeStamps struct {
	CreateTime       time.Time
	FileModifiedTime time.Time
	MFTModifiedTime  time.Time
	AccessedTime     time.Time
}

type USN_RECORD 

type USN_RECORD struct {
	*USN_RECORD_V2
	// contains filtered or unexported fields
}

func NewUSN_RECORD 

func NewUSN_RECORD(ntfs *NTFSContext, reader io.ReaderAt, offset int64) *USN_RECORD

func (*USN_RECORD) DebugString 

func (self *USN_RECORD) DebugString() string

func (*USN_RECORD) FileAttributes 

func (self *USN_RECORD) FileAttributes() []string

func (*USN_RECORD) Filename 

func (self *USN_RECORD) Filename() string

func (*USN_RECORD) FullPath 

func (self *USN_RECORD) FullPath() string

Resolve the file to a full path 

func (self *USN_RECORD) Links() []string

func (*USN_RECORD) Next 

func (self *USN_RECORD) Next(max_offset int64) *USN_RECORD

func (*USN_RECORD) Reason 

func (self *USN_RECORD) Reason() []string

func (*USN_RECORD) SourceInfo 

func (self *USN_RECORD) SourceInfo() []string

func (*USN_RECORD) Validate 

func (self *USN_RECORD) Validate() bool

type USN_RECORD_V2 

type USN_RECORD_V2 struct {
	Reader  io.ReaderAt
	Offset  int64
	Profile *NTFSProfile
}

func (*USN_RECORD_V2) DebugString 

func (self *USN_RECORD_V2) DebugString() string

func (*USN_RECORD_V2) FileAttributes 

func (self *USN_RECORD_V2) FileAttributes() *Flags

func (*USN_RECORD_V2) FileNameLength 

func (self *USN_RECORD_V2) FileNameLength() uint16

func (*USN_RECORD_V2) FileNameOffset 

func (self *USN_RECORD_V2) FileNameOffset() uint16

func (*USN_RECORD_V2) FileReferenceNumberID 

func (self *USN_RECORD_V2) FileReferenceNumberID() uint64

func (*USN_RECORD_V2) FileReferenceNumberSequence 

func (self *USN_RECORD_V2) FileReferenceNumberSequence() uint64

func (*USN_RECORD_V2) MajorVersion 

func (self *USN_RECORD_V2) MajorVersion() uint16

func (*USN_RECORD_V2) MinorVersion 

func (self *USN_RECORD_V2) MinorVersion() uint16

func (*USN_RECORD_V2) ParentFileReferenceNumberID 

func (self *USN_RECORD_V2) ParentFileReferenceNumberID() uint64

func (*USN_RECORD_V2) ParentFileReferenceNumberSequence 

func (self *USN_RECORD_V2) ParentFileReferenceNumberSequence() uint64

func (*USN_RECORD_V2) Reason 

func (self *USN_RECORD_V2) Reason() *Flags

func (*USN_RECORD_V2) RecordLength 

func (self *USN_RECORD_V2) RecordLength() uint32

func (*USN_RECORD_V2) SecurityId 

func (self *USN_RECORD_V2) SecurityId() uint32

func (*USN_RECORD_V2) Size 

func (self *USN_RECORD_V2) Size() int

func (*USN_RECORD_V2) SourceInfo 

func (self *USN_RECORD_V2) SourceInfo() *Flags

func (*USN_RECORD_V2) TimeStamp 

func (self *USN_RECORD_V2) TimeStamp() *WinFileTime

func (*USN_RECORD_V2) Usn 

func (self *USN_RECORD_V2) Usn() uint64

type VSS_CATALOG_ENTRY_1 

type VSS_CATALOG_ENTRY_1 struct {
	Reader  io.ReaderAt
	Offset  int64
	Profile *NTFSProfile
}

func (*VSS_CATALOG_ENTRY_1) DebugString 

func (self *VSS_CATALOG_ENTRY_1) DebugString() string

func (*VSS_CATALOG_ENTRY_1) EntryType 

func (self *VSS_CATALOG_ENTRY_1) EntryType() int64

func (*VSS_CATALOG_ENTRY_1) Size 

func (self *VSS_CATALOG_ENTRY_1) Size() int

type VSS_CATALOG_ENTRY_2 

type VSS_CATALOG_ENTRY_2 struct {
	Reader  io.ReaderAt
	Offset  int64
	Profile *NTFSProfile
}

func (*VSS_CATALOG_ENTRY_2) CreationTime 

func (self *VSS_CATALOG_ENTRY_2) CreationTime() *WinFileTime

func (*VSS_CATALOG_ENTRY_2) DebugString 

func (self *VSS_CATALOG_ENTRY_2) DebugString() string

func (*VSS_CATALOG_ENTRY_2) EntryType 

func (self *VSS_CATALOG_ENTRY_2) EntryType() int64

func (*VSS_CATALOG_ENTRY_2) Size 

func (self *VSS_CATALOG_ENTRY_2) Size() int

func (*VSS_CATALOG_ENTRY_2) StoreGUID 

func (self *VSS_CATALOG_ENTRY_2) StoreGUID() *GUID

func (*VSS_CATALOG_ENTRY_2) VolumeSize 

func (self *VSS_CATALOG_ENTRY_2) VolumeSize() int64

type VSS_CATALOG_ENTRY_3 

type VSS_CATALOG_ENTRY_3 struct {
	Reader  io.ReaderAt
	Offset  int64
	Profile *NTFSProfile
}

func (*VSS_CATALOG_ENTRY_3) AllocatedSize 

func (self *VSS_CATALOG_ENTRY_3) AllocatedSize() int64

func (*VSS_CATALOG_ENTRY_3) DebugString 

func (self *VSS_CATALOG_ENTRY_3) DebugString() string

func (*VSS_CATALOG_ENTRY_3) EntryType 

func (self *VSS_CATALOG_ENTRY_3) EntryType() int64

func (*VSS_CATALOG_ENTRY_3) NTFSFileReference 

func (self *VSS_CATALOG_ENTRY_3) NTFSFileReference() int64

func (*VSS_CATALOG_ENTRY_3) Size 

func (self *VSS_CATALOG_ENTRY_3) Size() int

func (*VSS_CATALOG_ENTRY_3) StoreBitmapOffset 

func (self *VSS_CATALOG_ENTRY_3) StoreBitmapOffset() int64

func (*VSS_CATALOG_ENTRY_3) StoreBlockListOffset 

func (self *VSS_CATALOG_ENTRY_3) StoreBlockListOffset() int64

func (*VSS_CATALOG_ENTRY_3) StoreBlockRangeListOffset 

func (self *VSS_CATALOG_ENTRY_3) StoreBlockRangeListOffset() int64

func (*VSS_CATALOG_ENTRY_3) StoreGUID 

func (self *VSS_CATALOG_ENTRY_3) StoreGUID() *GUID

func (*VSS_CATALOG_ENTRY_3) StoreHeaderOffset 

func (self *VSS_CATALOG_ENTRY_3) StoreHeaderOffset() int64

func (*VSS_CATALOG_ENTRY_3) StorePreviousBitmapOffset 

func (self *VSS_CATALOG_ENTRY_3) StorePreviousBitmapOffset() int64

type VSS_CATALOG_HEADER 

type VSS_CATALOG_HEADER struct {
	Reader  io.ReaderAt
	Offset  int64
	Profile *NTFSProfile
}

func (*VSS_CATALOG_HEADER) CurrentOffset 

func (self *VSS_CATALOG_HEADER) CurrentOffset() int64

func (*VSS_CATALOG_HEADER) DebugString 

func (self *VSS_CATALOG_HEADER) DebugString() string

func (*VSS_CATALOG_HEADER) Identifier 

func (self *VSS_CATALOG_HEADER) Identifier() *GUID

func (*VSS_CATALOG_HEADER) NextOffset 

func (self *VSS_CATALOG_HEADER) NextOffset() int64

func (*VSS_CATALOG_HEADER) RecordType 

func (self *VSS_CATALOG_HEADER) RecordType() uint32

func (*VSS_CATALOG_HEADER) RelativeOffset 

func (self *VSS_CATALOG_HEADER) RelativeOffset() int64

func (*VSS_CATALOG_HEADER) Size 

func (self *VSS_CATALOG_HEADER) Size() int

func (*VSS_CATALOG_HEADER) Version 

func (self *VSS_CATALOG_HEADER) Version() uint32

type VSS_STORE_BLOCK_HEADER 

type VSS_STORE_BLOCK_HEADER struct {
	Reader  io.ReaderAt
	Offset  int64
	Profile *NTFSProfile
}

func (*VSS_STORE_BLOCK_HEADER) CurrentOffset 

func (self *VSS_STORE_BLOCK_HEADER) CurrentOffset() int64

func (*VSS_STORE_BLOCK_HEADER) DebugString 

func (self *VSS_STORE_BLOCK_HEADER) DebugString() string

func (*VSS_STORE_BLOCK_HEADER) Identifier 

func (self *VSS_STORE_BLOCK_HEADER) Identifier() *GUID

func (*VSS_STORE_BLOCK_HEADER) NextOffset 

func (self *VSS_STORE_BLOCK_HEADER) NextOffset() int64

func (*VSS_STORE_BLOCK_HEADER) RecordType 

func (self *VSS_STORE_BLOCK_HEADER) RecordType() *Enumeration

func (*VSS_STORE_BLOCK_HEADER) RelativeOffset 

func (self *VSS_STORE_BLOCK_HEADER) RelativeOffset() int64

func (*VSS_STORE_BLOCK_HEADER) Size 

func (self *VSS_STORE_BLOCK_HEADER) Size() int

func (*VSS_STORE_BLOCK_HEADER) SizeOfStore 

func (self *VSS_STORE_BLOCK_HEADER) SizeOfStore() int64

func (*VSS_STORE_BLOCK_HEADER) Version 

func (self *VSS_STORE_BLOCK_HEADER) Version() uint32

type VSS_STORE_INFORMATION 

type VSS_STORE_INFORMATION struct {
	Reader  io.ReaderAt
	Offset  int64
	Profile *NTFSProfile
}

func (*VSS_STORE_INFORMATION) AttributeFlags 

func (self *VSS_STORE_INFORMATION) AttributeFlags() *Flags

func (*VSS_STORE_INFORMATION) DebugString 

func (self *VSS_STORE_INFORMATION) DebugString() string

func (*VSS_STORE_INFORMATION) ShadowCopyGUID 

func (self *VSS_STORE_INFORMATION) ShadowCopyGUID() *GUID

func (*VSS_STORE_INFORMATION) ShadowCopySetGUID 

func (self *VSS_STORE_INFORMATION) ShadowCopySetGUID() *GUID

func (*VSS_STORE_INFORMATION) Size 

func (self *VSS_STORE_INFORMATION) Size() int

func (*VSS_STORE_INFORMATION) SnapshotContext 

func (self *VSS_STORE_INFORMATION) SnapshotContext() uint32

type VSS_VOLUME_HEADER 

type VSS_VOLUME_HEADER struct {
	Reader  io.ReaderAt
	Offset  int64
	Profile *NTFSProfile
}

func (*VSS_VOLUME_HEADER) CatalogOffset 

func (self *VSS_VOLUME_HEADER) CatalogOffset() int64

func (*VSS_VOLUME_HEADER) CurrentOffset 

func (self *VSS_VOLUME_HEADER) CurrentOffset() int64

func (*VSS_VOLUME_HEADER) DebugString 

func (self *VSS_VOLUME_HEADER) DebugString() string

func (*VSS_VOLUME_HEADER) Identifier 

func (self *VSS_VOLUME_HEADER) Identifier() *GUID

func (*VSS_VOLUME_HEADER) MaxSize 

func (self *VSS_VOLUME_HEADER) MaxSize() uint64

func (*VSS_VOLUME_HEADER) RecordType 

func (self *VSS_VOLUME_HEADER) RecordType() uint32

func (*VSS_VOLUME_HEADER) ShadowVolumeGUID 

func (self *VSS_VOLUME_HEADER) ShadowVolumeGUID() *GUID

func (*VSS_VOLUME_HEADER) Size 

func (self *VSS_VOLUME_HEADER) Size() int

func (*VSS_VOLUME_HEADER) Version 

func (self *VSS_VOLUME_HEADER) Version() uint32

func (*VSS_VOLUME_HEADER) VolumeGUID 

func (self *VSS_VOLUME_HEADER) VolumeGUID() *GUID

type Visitor 

type Visitor struct {
	Paths [][]string
	Max   int

	IncludeShortNames bool
	Prefix            []string
}

func (*Visitor) Add 

func (self *Visitor) Add(idx int, depth int) int

func (*Visitor) AddComponent 

func (self *Visitor) AddComponent(idx int, component string)

func (*Visitor) Components 

func (self *Visitor) Components() [][]string

type VtoPer 

type VtoPer interface {
	VtoP(offset int64) int64
}

A reader may be able to tell us about the physical layer it is reading from.

type WinFileTime 

type WinFileTime struct {
	time.Time
}

A FileTime object is a timestamp in windows filetime format.

func (*WinFileTime) DebugString 

func (self *WinFileTime) DebugString() string

func (*WinFileTime) GoString 

func (self *WinFileTime) GoString() string

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.