mft

package module
v0.6.5 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 2, 2020 License: MIT Imports: 13 Imported by: 0

README

CircleCI codecov Go Report Card GoDoc contributions welcome

GoFor-MFT-Parser

Work in progress...

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func ParseMFT 

func ParseMFT(volumeLetter string, inputFile *os.File, writer ResultWriter, streamer io.Writer, bytesPerCluster int64)

ParseMFT takes an input file os.File and writes the results to the io.Writer. The format of the data sent to the io.Writer is dependent on what ResultWriter is used. The bytes per cluster input is typically 4096

func ParseMftRecords 

func ParseMftRecords(reader io.Reader, bytesPerCluster int64, directoryTree DirectoryTree, outputChannel *chan UsefulMftFields)

ParseMftRecords parses a stream of mft record bytes and sends the results to an output channel. Records from this output channel are popped off by the ResultWriter used in the ParseMFT() method.

Types

type AttributeListAttribute 

type AttributeListAttribute struct {
	Type                     byte
	MFTReferenceRecordNumber uint32
}

AttributeListAttribute contains information about a attribute list attribute

type AttributeListAttributes 

type AttributeListAttributes []AttributeListAttribute

AttributeListAttributes is a slice of AttributeListAttribute

type CsvResultWriter 

type CsvResultWriter struct{}

CsvResultWriter receiver used with the ResultWriter method that would write the csv results to csv.

func (*CsvResultWriter) ResultWriter 

func (csvResultWriter *CsvResultWriter) ResultWriter(streamer io.Writer, outputChannel *chan UsefulMftFields, waitGroup *sync.WaitGroup)

ResultWriter writes the results to csv.

type DataAttribute 

type DataAttribute struct {
	TotalSize                uint8
	FlagResident             bool
	ResidentDataAttribute    ResidentDataAttribute
	NonResidentDataAttribute NonResidentDataAttribute
}

DataAttribute contains information about a parsed data attribute.

type DataRun 

type DataRun struct {
	AbsoluteOffset int64
	Length         int64
}

DataRun contains a parsed data run which contains the absolute offset of where the data run resides in the volume and the length of the data run.

type DataRuns 

type DataRuns map[int]DataRun

DataRuns contains an ordered slice of parsed data runs

type DirectoryTree 

type DirectoryTree map[uint32]string

DirectoryTree contains a directory tree.

func BuildDirectoryTree 

func BuildDirectoryTree(reader io.Reader, volumeLetter string) (directoryTree DirectoryTree, err error)

BuildDirectoryTree takes an MFT and creates a directory tree where the slice keys are the mft record number of the UnResolvedDirectory. This record number is importable because files will reference it as its parent mft record number.

type FileNameAttribute 

type FileNameAttribute struct {
	FnCreated               time.Time
	FnModified              time.Time
	FnAccessed              time.Time
	FnChanged               time.Time
	FlagResident            bool
	NameLength              NameLength
	AttributeSize           uint32
	ParentDirRecordNumber   uint32
	ParentDirSequenceNumber uint16
	LogicalFileSize         uint64
	PhysicalFileSize        uint64
	FileNameFlags           FileNameFlags
	FileNameLength          byte
	FileNamespace           string
	FileName                string
}

FileNameAttribute contains information about a filename attribute.

type FileNameAttributes 

type FileNameAttributes []FileNameAttribute

FileNameAttributes is a slice that contains a list of filename attributes.

type FileNameFlags 

type FileNameFlags struct {
	ReadOnly          bool
	Hidden            bool
	System            bool
	Archive           bool
	Device            bool
	Normal            bool
	Temporary         bool
	Sparse            bool
	Reparse           bool
	Compressed        bool
	Offline           bool
	NotContentIndexed bool
	Encrypted         bool
	Directory         bool
	IndexView         bool
}

FileNameFlags contains possible filename flags a file may have.

type MasterFileTableRecord 

type MasterFileTableRecord struct {
	RecordHeader                  RecordHeader
	StandardInformationAttributes StandardInformationAttribute
	FileNameAttributes            []FileNameAttribute
	DataAttribute                 DataAttribute
	AttributeList                 AttributeListAttributes
}

MasterFileTableRecord contains information on a parsed MFT record

type NameLength 

type NameLength struct {
	FlagNamed bool
	NamedSize byte
}

type NonResidentDataAttribute 

type NonResidentDataAttribute struct {
	DataRuns DataRuns
}

NonResidentDataAttribute is an alias for a parsed non-resident data attribute.

type RawAttributeListAttribute 

type RawAttributeListAttribute []byte

RawAttributeListAttribute is a []byte alias for raw attribute list attributes. Used with the Parse() method

func (RawAttributeListAttribute) Parse 

func (rawAttributeListAttribute RawAttributeListAttribute) Parse() (attributeListAttributes AttributeListAttributes, err error)

Parse a raw attribute list attribute

type RawAttributes 

type RawAttributes []rawAttribute

RawAttributes contains a slice of rawAttribute []byte aliases. Used primarily as a method receiver for the parse() method. See here for a handy list of attributes: https://flatcap.org/linux-ntfs/ntfs/attributes/index.html

func (RawAttributes) Parse 

func (rawAttributes RawAttributes) Parse(bytesPerCluster int64) (fileNameAttributes FileNameAttributes, standardInformationAttribute StandardInformationAttribute, dataAttribute DataAttribute, attributeListAttributes AttributeListAttributes, err error)

Parse parses a slice of raw attributes and returns its filename, standard information, and dat attributes. It takes an argument for bytes per cluster (typically 4096) which is used for computing data run information in a data attributes.

type RawDataAttribute 

type RawDataAttribute []byte

RawDataAttribute is an alias for a raw data attribute. Used as a receiver to the parse() method.

func (RawDataAttribute) Parse 

func (rawDataAttribute RawDataAttribute) Parse(bytesPerCluster int64) (nonResidentDataAttribute NonResidentDataAttribute, residentDataAttribute ResidentDataAttribute, err error)

Parse parses the raw data attribute receiver and returns a non resident data attribute or a resident data attribute. The bytes per cluster argument is used to calculate data run information.

type RawDataRuns 

type RawDataRuns []byte

RawDataRuns is an alias for a raw data runs. Used as a receiver to the parse() method. See this for more details on data runs: https://flatcap.org/linux-ntfs/ntfs/concepts/data_runs.html

func (RawDataRuns) Parse 

func (rawDataRuns RawDataRuns) Parse(bytesPerCluster int64) (dataRuns DataRuns, err error)

Parse parses the raw data run receiver and returns data runs. The bytes per cluster argument is used to calculate data run information.

type RawFileNameAttribute 

type RawFileNameAttribute []byte

RawFileNameAttribute is a []byte alias for raw filename attribute. Used with the Parse() method.

func (RawFileNameAttribute) Parse 

func (rawFileNameAttribute RawFileNameAttribute) Parse() (filenameAttribute FileNameAttribute, err error)

Parse parses the raw filename attribute receiver and returns a parsed filename attribute.

type RawFilenameFlags 

type RawFilenameFlags []byte

RawFilenameFlags is a []byte alias for raw filename flags. Used with the Parse() method.

func (RawFilenameFlags) Parse 

func (flagBytes RawFilenameFlags) Parse() (fileNameFlags FileNameFlags)

Parse parses the raw filename flags receiver and returns filename flags.

type RawFilenameNameSpaceFlag 

type RawFilenameNameSpaceFlag byte

RawFilenameNameSpaceFlag is a byte alias for raw filename namespace flag. Used with the Parse() method.

func (RawFilenameNameSpaceFlag) Parse 

func (fileNamespaceFlag RawFilenameNameSpaceFlag) Parse() (fileNameSpace string)

Parse parses the raw file namespace flag receiver and returns a file namespace value.

type RawMasterFileTableRecord 

type RawMasterFileTableRecord []byte

RawMasterFileTableRecord is a []byte alias for raw mft record. Used with the Parse() method.

func (RawMasterFileTableRecord) GetRawAttributes 

func (rawMftRecord RawMasterFileTableRecord) GetRawAttributes(recordHeader RecordHeader) (rawAttributes RawAttributes, err error)

GetRawAttributes returns the attribute bytes from an unparsed mft record which is the method receiver. It takes recordHeader as an argument since the record header contains the offset for the start of the attributes.

func (RawMasterFileTableRecord) GetRawRecordHeader 

func (rawMftRecord RawMasterFileTableRecord) GetRawRecordHeader() (rawRecordHeader RawRecordHeader, err error)

GetRawRecordHeader gets the raw record header from a raw mft record receiver.

func (RawMasterFileTableRecord) IsThisADirectory 

func (rawMftRecord RawMasterFileTableRecord) IsThisADirectory() (result bool, err error)

IsThisADirectory will quickly check the bytes of an MFT record to determine if it is a directory or not.

func (RawMasterFileTableRecord) IsThisAnMftRecord 

func (rawMftRecord RawMasterFileTableRecord) IsThisAnMftRecord() (result bool, err error)

IsThisAnMftRecord quickly checks to see if the raw mft record receiver is a valid mft record.

func (RawMasterFileTableRecord) Parse 

func (rawMftRecord RawMasterFileTableRecord) Parse(bytesPerCluster int64) (mftRecord MasterFileTableRecord, err error)

Parse parses the raw MFT record receiver and returns a parsed mft record.

type RawNonResidentDataAttribute 

type RawNonResidentDataAttribute []byte

RawNonResidentDataAttribute is an alias for a raw nonresident data attribute. Used as a receiver to the parse() method.

func (RawNonResidentDataAttribute) Parse 

func (rawNonResidentDataAttribute RawNonResidentDataAttribute) Parse(bytesPerCluster int64) (nonResidentDataAttributes NonResidentDataAttribute, err error)

Parse parses the raw non resident data attribute receiver and returns a non resident data attribute. The bytes per cluster argument is used to calculate data run information.

type RawRecordHeader 

type RawRecordHeader []byte

RawRecordHeader is a []byte alias for raw record header. Used with the Parse() method.

func (RawRecordHeader) GetRawRecordHeaderFlags 

func (rawRecordHeader RawRecordHeader) GetRawRecordHeaderFlags() (rawRecordHeaderFlag RawRecordHeaderFlag, err error)

GetRawRecordHeaderFlags parses the raw filename attribute receiver and returns the raw record header flags.

func (RawRecordHeader) Parse 

func (rawRecordHeader RawRecordHeader) Parse() (recordHeader RecordHeader, err error)

Parse parses the raw record header receiver and returns a record header.

type RawRecordHeaderFlag 

type RawRecordHeaderFlag byte

RawRecordHeaderFlag is a byte alias for raw record header flag. Used with the Parse() method.

func (RawRecordHeaderFlag) Parse 

func (rawRecordHeaderFlag RawRecordHeaderFlag) Parse() (recordHeaderFlags RecordHeaderFlags)

Parse parses the raw record header flag receiver and returns record header flags.

type RawResidencyFlag 

type RawResidencyFlag byte

RawResidencyFlag is a byte alias for raw residency flag. Used with the Parse() method.

func (RawResidencyFlag) Parse 

func (byteToCheck RawResidencyFlag) Parse() (flagResidency bool)

Parse parses the raw residency flag receiver and returns a flag residency value.

type RawResidentDataAttribute 

type RawResidentDataAttribute []byte

RawResidentDataAttribute is an alias for a raw resident data attribute. Used as a receiver to the parse() method. We don't really do anything this this currently.

func (RawResidentDataAttribute) Parse 

func (rawResidentDataAttribute RawResidentDataAttribute) Parse() (residentDataAttribute ResidentDataAttribute, err error)

Parse parses the raw resident data attribute receiver and returns the resident data attribute bytes.

type RawStandardInformationAttribute 

type RawStandardInformationAttribute []byte

RawStandardInformationAttribute is a []byte alias for raw standard information attribute. Used with the Parse() method.

func (RawStandardInformationAttribute) Parse 

func (rawStandardInformationAttribute RawStandardInformationAttribute) Parse() (standardInformationAttribute StandardInformationAttribute, err error)

Parse parses the raw standard information attribute receiver and returns a parsed standard information attribute.

type RecordHeader 

type RecordHeader struct {
	AttributesOffset uint16
	RecordNumber     uint32
	Flags            RecordHeaderFlags
}

RecordHeader contains parsed record header values.

type RecordHeaderFlags 

type RecordHeaderFlags struct {
	FlagDeleted   bool
	FlagDirectory bool
}

RecordHeaderFlags contains parsed record header flag values.

type ResidentDataAttribute 

type ResidentDataAttribute []byte

ResidentDataAttribute is an alias for a resident data attribute.

type ResultWriter 

type ResultWriter interface {
	ResultWriter(streamer io.Writer, outputChannel *chan UsefulMftFields, waitGroup *sync.WaitGroup)
}

ResultWriter interface for result writers to allow for output format extensibility.

type StandardInformationAttribute 

type StandardInformationAttribute struct {
	SiCreated    time.Time
	SiModified   time.Time
	SiAccessed   time.Time
	SiChanged    time.Time
	FlagResident bool
}

StandardInformationAttribute contains information from a parsed standard information attribute.

type UnResolvedDirectory 

type UnResolvedDirectory struct {
	RecordNumber       uint32
	DirectoryName      string
	ParentRecordNumber uint32
}

UnResolvedDirectory type is used for creating a directory tree.

func ConvertRawMFTRecordToDirectory 

func ConvertRawMFTRecordToDirectory(rawMftRecord RawMasterFileTableRecord) (directory UnResolvedDirectory, err error)

ConvertRawMFTRecordToDirectory will take a raw MFT record that is a directory and return the parsed MFT record for it.

type UnresolvedDirectoryTree 

type UnresolvedDirectoryTree map[uint32]UnResolvedDirectory

UnresolvedDirectoryTree contains a slice of directories that need to be joined to create a UnResolvedDirectory tree.

func BuildUnresolvedDirectoryTree 

func BuildUnresolvedDirectoryTree(reader io.Reader) (unresolvedDirectoryTree UnresolvedDirectoryTree, err error)

BuildUnresolvedDirectoryTree takes an MFT and does a first pass to find all the directories listed in it. These will form an unresolved UnResolvedDirectory tree that need to be stitched together.

func (UnresolvedDirectoryTree) Resolve 

func (unresolvedDirectoryTree UnresolvedDirectoryTree) Resolve(volumeLetter string) (directoryTree DirectoryTree, err error)

Resolve combines a running list of directories from a channel in order to create the systems directory trees.

type UsefulMftFields 

type UsefulMftFields struct {
	RecordNumber     uint32    `json:"RecordNumber,number"`
	FilePath         string    `json:"FilePath,string"`
	FullPath         string    `json:"FullPath,string"`
	FileName         string    `json:"FileName,string"`
	SystemFlag       bool      `json:"SystemFlag,bool"`
	HiddenFlag       bool      `json:"HiddenFlag,bool"`
	ReadOnlyFlag     bool      `json:"ReadOnlyFlag,bool"`
	DirectoryFlag    bool      `json:"DirectoryFlag,bool"`
	DeletedFlag      bool      `json:"DeletedFlag,bool"`
	FnCreated        time.Time `json:"FnCreated"`
	FnModified       time.Time `json:"FnModified"`
	FnAccessed       time.Time `json:"FnAccessed"`
	FnChanged        time.Time `json:"FnChanged"`
	SiCreated        time.Time `json:"SiCreated"`
	SiModified       time.Time `json:"SiModified"`
	SiAccessed       time.Time `json:"SiAccessed"`
	SiChanged        time.Time `json:"SiChanged"`
	PhysicalFileSize uint64    `json:"PhysicalFileSize,number"`
}

UsefulMftFields contains a downselected list of fields that are actually valuable to an analyst. This is the data that is written after parsing an MFT.

func GetUsefulMftFields 

func GetUsefulMftFields(mftRecord MasterFileTableRecord, directoryTree DirectoryTree) (useFulMftFields UsefulMftFields)

GetUsefulMftFields will pull out and return just the MFT record fields that are useful to an analyst.

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.