GoFor_MFT_Parser

package module
v0.0.0-...-8c9a74e Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 12, 2019 License: MPL-2.0 Imports: 14 Imported by: 0

README

GoFor-MFT-Parser

Work in progress...

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func ConvertLittleEndianByteSliceToInt64 

func ConvertLittleEndianByteSliceToInt64(inBytes []byte) (outInt64 int64)

Convert a byte slice to a little endian int64.

func ConvertLittleEndianByteSliceToUInt64 

func ConvertLittleEndianByteSliceToUInt64(inBytes []byte) (outUint64 uint64)

Convert a byte slice to a little endian uint64.

func CreateDirectoryList 

func CreateDirectoryList(inboundBuffer *chan []byte, directoryListChannel *chan map[uint64]Directory, waitGroup *sync.WaitGroup)

Creates a list of directories from a channel of MFR record bytes.

func ParseMFT 

func ParseMFT(mftFilePath, outFileName string) (err error)

Parse an already extracted MFT and write the results to a file.

func ParseTimestamp 

func ParseTimestamp(timestampBytes []byte) (timestamp string)

Parse a byte slice containing a unix timestamp and convert it to a timestamp string.

Types

type AttributeInfo 

type AttributeInfo struct {
	AttributeType  byte
	AttributeBytes []byte
}

type DataAttributes 

type DataAttributes struct {
	TotalSize                 uint8
	FlagResident              bool
	ResidentDataAttributes    ResidentDataAttributes
	NonResidentDataAttributes NonResidentDataAttributes
}

type DataRun 

type DataRun struct {
	AbsoluteOffset int64
	Length         int64
}

type Directory 

type Directory struct {
	DirectoryName      string
	ParentRecordNumber uint64
}

type DirectoryList 

type DirectoryList map[uint64]Directory

type FileNameAttributes 

type FileNameAttributes struct {
	FnCreated               string
	FnModified              string
	FnAccessed              string
	FnChanged               string
	FlagResident            bool
	FlagNamed               bool
	NamedSize               byte
	AttributeSize           uint32
	ParentDirRecordNumber   uint64
	ParentDirSequenceNumber uint16
	LogicalFileSize         uint64
	PhysicalFileSize        uint64
	FileNameFlags           FileNameFlags
	FileNameLength          byte
	FileNamespace           string
	FileName                string
}

type FileNameFlags 

type FileNameFlags struct {
	ReadOnly          bool
	Hidden            bool
	System            bool
	Archive           bool
	Device            bool
	Normal            bool
	Temporary         bool
	Sparse            bool
	Reparse           bool
	Compressed        bool
	Offline           bool
	NotContentIndexed bool
	Encrypted         bool
	Directory         bool
	IndexView         bool
}

type MappedDirectories 

type MappedDirectories map[uint64]string

type MasterFileTableRecord 

type MasterFileTableRecord struct {
	BytesPerCluster               int64
	RecordHeader                  RecordHeader
	StandardInformationAttributes StandardInformationAttributes
	FileNameAttributes            []FileNameAttributes
	DataAttributes                DataAttributes
	MftRecordBytes                []byte
	AttributeInfo                 []AttributeInfo
}

func (*MasterFileTableRecord) CheckForRecordHeader 

func (mftRecord *MasterFileTableRecord) CheckForRecordHeader() (recordHeaderPresent bool)

Verifies that the bytes receives is actually an MFT record. All MFT records start with "FILE0".

func (*MasterFileTableRecord) GetAttributeList 

func (mftRecord *MasterFileTableRecord) GetAttributeList() (err error)

Get MFT record attributes list.

func (*MasterFileTableRecord) GetDataAttribute 

func (mftRecord *MasterFileTableRecord) GetDataAttribute() (err error)

func (*MasterFileTableRecord) GetFileNameAttributes 

func (mftRecord *MasterFileTableRecord) GetFileNameAttributes() (err error)

func (*MasterFileTableRecord) GetRecordHeader 

func (mftRecord *MasterFileTableRecord) GetRecordHeader()

func (*MasterFileTableRecord) GetStandardInformationAttribute 

func (mftRecord *MasterFileTableRecord) GetStandardInformationAttribute() (err error)

func (*MasterFileTableRecord) ParseMFTRecord 

func (mftRecord *MasterFileTableRecord) ParseMFTRecord() (err error)

Parse the bytes of an MFT record

func (*MasterFileTableRecord) QuickDirectoryCheck 

func (mftRecord *MasterFileTableRecord) QuickDirectoryCheck()

Quickly checks the bytes of an MFT record to determine if it is a Directory or not.

func (*MasterFileTableRecord) TrimMFTRecordSlackSpace 

func (mftRecord *MasterFileTableRecord) TrimMFTRecordSlackSpace()

Trims off slack space after end sequence 0xffffffff

type MftFile 

type MftFile struct {
	FileHandle        *os.File
	MappedDirectories map[uint64]string
	OutputChannel     chan MasterFileTableRecord
}

func (*MftFile) BuildDirectoryTree 

func (file *MftFile) BuildDirectoryTree() (err error)

Builds a list of directories for the purpose of of mapping MFT records to their parent directories.

func (*MftFile) CombineDirectoryInformation 

func (file *MftFile) CombineDirectoryInformation(directoryListChannel *chan map[uint64]Directory, waitForDirectoryCombination *sync.WaitGroup)

Combines a running list of directories from a channel in order to create the systems Directory trees.

func (MftFile) MftToCSV 

func (file MftFile) MftToCSV(outFileName string, waitgroup *sync.WaitGroup) (err error)

type NonResidentDataAttributes 

type NonResidentDataAttributes struct {
	StartingVCN   int
	EndingVCN     int
	OffsetDataRun int8
	AllocatedSize uint64
	RealSize      uint64
	DataRuns      map[int]DataRun
}

type RawDataRun 

type RawDataRun struct {
	NumberOrder      int
	ClusterOffset    int64
	NumberOfClusters int64
}

type RawDataRunList 

type RawDataRunList map[int]RawDataRun

type RecordHeader 

type RecordHeader struct {
	AttributesOffset uint16
	RecordNumber     uint32
	FlagDeleted      bool
	FlagDirectory    bool
}

type ResidentDataAttributes 

type ResidentDataAttributes struct {
	ResidentData []byte
}

type StandardInformationAttributes 

type StandardInformationAttributes struct {
	SiCreated    string
	SiModified   string
	SiAccessed   string
	SiChanged    string
	FlagResident bool
}

Source Files

View all Source files

Directories

Path Synopsis
cmd
gofor-mft-parser

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.