Documentation ¶
Overview ¶
Implement some easy APIs.
Index ¶
- Constants
- Variables
- func AddParsers(profile *vtypes.Profile)
- func Debug(arg interface{})
- func DebugPrint(fmt_str string, v ...interface{})
- func GetDataForPath(path string, root *MFT_ENTRY) (io.ReaderAt, error)
- func GetFullPath(mft_entry *MFT_ENTRY) (string, error)
- func GetProfile() (*vtypes.Profile, error)
- func LZNT1Decompress(in []byte) ([]byte, error)
- func LZNT1Printf(fmt_str string, args ...interface{})
- func ParseMFTId(mft_id string) (mft_idx int64, attr int64, id int64, err error)
- func Printf(fmt_str string, args ...interface{})
- func UTF16ToString(bytes []byte) string
- type ATTRIBUTE_LIST_ENTRY
- type DATA
- type EvictCallback
- type FILE_NAME
- type FileInfo
- type FilenameInfo
- type GenericRun
- type INDEX_NODE_HEADER
- type INDEX_RECORD_ENTRY
- type LRU
- func (c *LRU) Add(key int, value interface{}) (evicted bool)
- func (c *LRU) Contains(key int) (ok bool)
- func (c *LRU) Get(key int) (value interface{}, ok bool)
- func (c *LRU) GetOldest() (key int, value interface{}, ok bool)
- func (c *LRU) Keys() []int
- func (c *LRU) Len() int
- func (c *LRU) Peek(key int) (value interface{}, ok bool)
- func (c *LRU) Purge()
- func (c *LRU) Remove(key int) (present bool)
- func (c *LRU) RemoveOldest() (key int, value interface{}, ok bool)
- type MFT_ENTRY
- func (self *MFT_ENTRY) Attributes() []*NTFS_ATTRIBUTE
- func (self *MFT_ENTRY) Data(attr_type, id int64) io.ReaderAt
- func (self *MFT_ENTRY) DebugString() string
- func (self *MFT_ENTRY) Dir() []*INDEX_RECORD_ENTRY
- func (self *MFT_ENTRY) DirNodes() []*INDEX_NODE_HEADER
- func (self *MFT_ENTRY) FileName() []*FILE_NAME
- func (self *MFT_ENTRY) IsDir() bool
- func (self *MFT_ENTRY) MFTEntry(id int64) (*MFT_ENTRY, error)
- func (self *MFT_ENTRY) Offset() int64
- func (self *MFT_ENTRY) Open(filename string) (*MFT_ENTRY, error)
- func (self *MFT_ENTRY) Reader() io.ReaderAt
- func (self *MFT_ENTRY) StandardInformation() (*STANDARD_INFORMATION, error)
- type MapReader
- type NTFSFileInformation
- type NTFS_ATTRIBUTE
- func (self *NTFS_ATTRIBUTE) Data() io.ReaderAt
- func (self *NTFS_ATTRIBUTE) DebugString() string
- func (self *NTFS_ATTRIBUTE) Decode() (vtypes.Object, error)
- func (self *NTFS_ATTRIBUTE) IsResident() bool
- func (self *NTFS_ATTRIBUTE) Name() string
- func (self *NTFS_ATTRIBUTE) RunList() []Run
- func (self *NTFS_ATTRIBUTE) Size() int64
- type NTFS_BOOT_SECTOR
- type PagedReader
- type ReaderRun
- type Run
- type RunReader
- type STANDARD_INDEX_HEADER
- type STANDARD_INFORMATION
- type TimeStamps
- type WinFileTimeParser
- func (self *WinFileTimeParser) AsDate(offset int64, reader io.ReaderAt) time.Time
- func (self *WinFileTimeParser) AsInteger(offset int64, reader io.ReaderAt) int64
- func (self *WinFileTimeParser) AsString(offset int64, reader io.ReaderAt) string
- func (self WinFileTimeParser) Copy() vtypes.Parser
- func (self *WinFileTimeParser) DebugString(offset int64, reader io.ReaderAt) string
Constants ¶
const NTFS_PROFILE = `` /* 8535-byte string literal not displayed */
Variables ¶
var ( LZNT1_debug = false NTFS_DEBUG *bool )
var ( COMPRESSED_MASK = uint16(1 << 15) SIGNATURE_MASK = uint16(3 << 12) SIZE_MASK = uint16(1<<12) - 1 )
Functions ¶
func AddParsers ¶
func DebugPrint ¶
func DebugPrint(fmt_str string, v ...interface{})
func GetFullPath ¶
Traverse the mft entry and attempt to find its owner until the root. We return the full path of the MFT entry.
func GetProfile ¶
func LZNT1Decompress ¶
func LZNT1Printf ¶
func LZNT1Printf(fmt_str string, args ...interface{})
func UTF16ToString ¶
Types ¶
type ATTRIBUTE_LIST_ENTRY ¶
func (*ATTRIBUTE_LIST_ENTRY) Attributes ¶
func (self *ATTRIBUTE_LIST_ENTRY) Attributes() []*NTFS_ATTRIBUTE
func (*ATTRIBUTE_LIST_ENTRY) GetAttribute ¶
func (self *ATTRIBUTE_LIST_ENTRY) GetAttribute() (*NTFS_ATTRIBUTE, error)
type DATA ¶
type DATA struct {
*NTFS_ATTRIBUTE
}
type EvictCallback ¶
type EvictCallback func(key int, value interface{})
EvictCallback is used to get a callback when a cache entry is evicted
type FILE_NAME ¶
func (*FILE_NAME) DebugString ¶
type FileInfo ¶
type FilenameInfo ¶
type FilenameInfo struct { Times TimeStamps Type string Name string }
type INDEX_NODE_HEADER ¶
type INDEX_RECORD_ENTRY ¶
type LRU ¶
type LRU struct {
// contains filtered or unexported fields
}
LRU implements a thread safe fixed size LRU cache
func NewLRU ¶
func NewLRU(size int, onEvict EvictCallback) (*LRU, error)
NewLRU constructs an LRU of the given size
func (*LRU) Contains ¶
Contains checks if a key is in the cache, without updating the recent-ness or deleting it for being stale.
func (*LRU) Peek ¶
Peek returns the key value (or undefined if not found) without updating the "recently used"-ness of the key.
func (*LRU) Remove ¶
Remove removes the provided key from the cache, returning if the key was contained.
func (*LRU) RemoveOldest ¶
RemoveOldest removes the oldest item from the cache.
type MFT_ENTRY ¶
Represents a single MFT entry. This can only be created using NTFS_BOOT_SECTOR.MTF().
func (*MFT_ENTRY) Attributes ¶
func (self *MFT_ENTRY) Attributes() []*NTFS_ATTRIBUTE
func (*MFT_ENTRY) DebugString ¶
func (*MFT_ENTRY) Dir ¶
func (self *MFT_ENTRY) Dir() []*INDEX_RECORD_ENTRY
func (*MFT_ENTRY) DirNodes ¶
func (self *MFT_ENTRY) DirNodes() []*INDEX_NODE_HEADER
func (*MFT_ENTRY) MFTEntry ¶
Convenience method used to extract another MFT entry from the same table used by the current entry.
func (*MFT_ENTRY) Open ¶
Open the MFT entry specified by a path name. Walks all directory indexes in the path to find the right MFT entry.
func (*MFT_ENTRY) StandardInformation ¶
func (self *MFT_ENTRY) StandardInformation() ( *STANDARD_INFORMATION, error)
Extract the $STANDARD_INFORMATION attribute from the MFT.
type MapReader ¶
type MapReader struct { // Very simple for now. Runs []*GenericRun }
Stitch together several different readers mapped at different offsets. In NTFS, a file's data consists of multiple $DATA streams, each having the same id. These different streams are mapped at different runlist_vcn_start to runlist_vcn_end (VCN = Virtual Cluster Number: the cluster number within the file's data). This reader combines these different readers into a single continuous form.
type NTFSFileInformation ¶
type NTFSFileInformation struct { FullPath string MFTID int64 Size int64 Allocated bool IsDir bool SI_Times *TimeStamps Filenames []*FilenameInfo }
func ModelMFTEntry ¶
func ModelMFTEntry(mft_entry *MFT_ENTRY) (*NTFSFileInformation, error)
type NTFS_ATTRIBUTE ¶
func (*NTFS_ATTRIBUTE) Data ¶
func (self *NTFS_ATTRIBUTE) Data() io.ReaderAt
func (*NTFS_ATTRIBUTE) DebugString ¶
func (self *NTFS_ATTRIBUTE) DebugString() string
func (*NTFS_ATTRIBUTE) IsResident ¶
func (self *NTFS_ATTRIBUTE) IsResident() bool
func (*NTFS_ATTRIBUTE) Name ¶
func (self *NTFS_ATTRIBUTE) Name() string
func (*NTFS_ATTRIBUTE) RunList ¶
func (self *NTFS_ATTRIBUTE) RunList() []Run
func (*NTFS_ATTRIBUTE) Size ¶
func (self *NTFS_ATTRIBUTE) Size() int64
type NTFS_BOOT_SECTOR ¶
func NewBootRecord ¶
func NewBootRecord(profile *vtypes.Profile, reader io.ReaderAt, offset int64) ( *NTFS_BOOT_SECTOR, error)
NTFS Parsing starts with the boot record.
func (*NTFS_BOOT_SECTOR) BlockCount ¶
func (self *NTFS_BOOT_SECTOR) BlockCount() int64
func (*NTFS_BOOT_SECTOR) ClusterSize ¶
func (self *NTFS_BOOT_SECTOR) ClusterSize() int64
func (*NTFS_BOOT_SECTOR) MFT ¶
func (self *NTFS_BOOT_SECTOR) MFT() (*MFT_ENTRY, error)
func (*NTFS_BOOT_SECTOR) RecordSize ¶
func (self *NTFS_BOOT_SECTOR) RecordSize() int64
type PagedReader ¶
type PagedReader struct {
// contains filtered or unexported fields
}
func NewPagedReader ¶
type ReaderRun ¶
func MakeReaderRuns ¶
Convert the NTFS relative runlist into an absolute run list.
type RunReader ¶
type RunReader struct {
// contains filtered or unexported fields
}
An io.ReaderAt which works off runs.
func NewCompressedRunReader ¶
func NewCompressedRunReader(runs []Run, attr *NTFS_ATTRIBUTE, compression_unit_size int64) *RunReader
func NewRunReader ¶
func NewRunReader(runs []Run, attr *NTFS_ATTRIBUTE) *RunReader
type STANDARD_INDEX_HEADER ¶
func NewSTANDARD_INDEX_HEADER ¶
func NewSTANDARD_INDEX_HEADER(attr *NTFS_ATTRIBUTE, offset int64, length int64) ( *STANDARD_INDEX_HEADER, error)
The STANDARD_INDEX_HEADER has a second layer of fixups.
type STANDARD_INFORMATION ¶
type TimeStamps ¶
type WinFileTimeParser ¶
func (*WinFileTimeParser) AsInteger ¶
func (self *WinFileTimeParser) AsInteger(offset int64, reader io.ReaderAt) int64
func (*WinFileTimeParser) AsString ¶
func (self *WinFileTimeParser) AsString(offset int64, reader io.ReaderAt) string
func (WinFileTimeParser) Copy ¶
func (self WinFileTimeParser) Copy() vtypes.Parser
func (*WinFileTimeParser) DebugString ¶
func (self *WinFileTimeParser) DebugString(offset int64, reader io.ReaderAt) string