How to use the pytsk3.TSK_FS_ATTR_TYPE_NTFS_DATA function in pytsk3
To help you get started, we’ve selected a few pytsk3 examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
mit-ll / LO-PHI / python-lophi-semanticgap / lophi_semanticgap / disk / filesystem_reconstructor.py View on Github 
def _mft_dataruns(self):
"""
Returns a list of all of the data runs in the MFT
@return list of tuples (run length, block address)
"""
# get inode 0
self.MFT = self.FILE_SYSTEM.open_meta(inode=0)
mft_blocks = []
for attribute in self.MFT:
if attribute.info.type == pytsk3.TSK_FS_ATTR_TYPE_NTFS_DATA:
for run in attribute:
mft_blocks.append((run.len, run.addr))
return sorted(mft_blocks, key=lambda tup: tup[1])if attribute_name is None:
attribute_name = ''
else:
try:
# pytsk3 returns an UTF-8 encoded byte string.
attribute_name = attribute_name.decode('utf8')
except UnicodeError:
# Continue here since we cannot represent the attribute name.
continue
attribute_type = getattr(attribute.info, 'type', None)
if attribute_name == data_stream and attribute_type in (
pytsk3.TSK_FS_ATTR_TYPE_HFS_DEFAULT,
pytsk3.TSK_FS_ATTR_TYPE_HFS_DATA,
pytsk3.TSK_FS_ATTR_TYPE_NTFS_DATA):
tsk_attribute = attribute
break
if tsk_attribute is None:
file_system.Close()
raise IOError('Unable to open data stream: {0:s}.'.format(data_stream))
if (not tsk_attribute and
tsk_file.info.meta.type != pytsk3.TSK_FS_META_TYPE_REG):
file_system.Close()
raise IOError('Not a regular file.')
self._current_offset = 0
self._file_system = file_system
self._tsk_attribute = tsk_attribute
self._tsk_file = tsk_filedef _GetDataStreams(self):
"""Retrieves the data streams.
Returns:
list[TSKDataStream]: data streams.
"""
if self._data_streams is None:
if self._file_system.IsHFS():
known_data_attribute_types = [
pytsk3.TSK_FS_ATTR_TYPE_HFS_DEFAULT,
pytsk3.TSK_FS_ATTR_TYPE_HFS_DATA]
elif self._file_system.IsNTFS():
known_data_attribute_types = [pytsk3.TSK_FS_ATTR_TYPE_NTFS_DATA]
else:
known_data_attribute_types = None
self._data_streams = []
tsk_fs_meta_type = getattr(
self._tsk_file.info.meta, 'type', pytsk3.TSK_FS_META_TYPE_UNDEF)
if not known_data_attribute_types:
if tsk_fs_meta_type == pytsk3.TSK_FS_META_TYPE_REG:
data_stream = TSKDataStream(self._file_system, None)
self._data_streams.append(data_stream)
else:
for tsk_attribute in self._tsk_file:def _mft_dataruns(self):
# get inode 0
mft_f = self.FILE_SYSTEM.open_meta(inode=0)
mft_blocks = []
for attribute in mft_f:
if attribute.info.type == pytsk3.TSK_FS_ATTR_TYPE_NTFS_DATA:
for run in attribute:
mft_blocks.append((run.len, run.addr))
return mft_blocksMETA_TYPE_LOOKUP = {
pytsk3.TSK_FS_META_TYPE_REG: "r",
pytsk3.TSK_FS_META_TYPE_DIR: "d",
pytsk3.TSK_FS_META_TYPE_FIFO: "p",
pytsk3.TSK_FS_META_TYPE_CHR: "c",
pytsk3.TSK_FS_META_TYPE_BLK: "b",
pytsk3.TSK_FS_META_TYPE_LNK: "h",
pytsk3.TSK_FS_META_TYPE_SHAD: "s",
pytsk3.TSK_FS_META_TYPE_SOCK: "s",
pytsk3.TSK_FS_META_TYPE_WHT: "w",
pytsk3.TSK_FS_META_TYPE_VIRT: "v"
}
ATTRIBUTE_TYPES_TO_PRINT = [
pytsk3.TSK_FS_ATTR_TYPE_NTFS_IDXROOT,
pytsk3.TSK_FS_ATTR_TYPE_NTFS_DATA,
pytsk3.TSK_FS_ATTR_TYPE_DEFAULT]
class TSKListDirectoryAction(files.ListDirectoryAction):
"""List Directory via TSK."""
schema = [
dict(name="path",
doc="The name of the directory to list. If a device is also give, "
"the name is relative to this device otherwise we resolve mount "
"points to deduce right the name and device."),
dict(name="device",
doc="The path to the device to use"),
dict(name="offset", type="int",
doc="A device offset to use."),raise IOError("%s is not a directory" % self.pathspec.CollapsePath())
for f in self.fd.as_directory():
try:
name = _DecodeUTF8WithWarning(f.info.name.name)
# Drop these useless entries.
if name in [".", ".."] or name in self.BLACKLIST_FILES:
continue
# First we yield a standard response using the default attributes.
yield self.MakeStatResponse(f, tsk_attribute=None, append_name=name)
# Now send back additional named attributes for the ADS.
for attribute in f:
if attribute.info.type in [
pytsk3.TSK_FS_ATTR_TYPE_NTFS_DATA, pytsk3.TSK_FS_ATTR_TYPE_DEFAULT
]:
if attribute.info.name:
yield self.MakeStatResponse(
f, append_name=name, tsk_attribute=attribute)
except AttributeError:
pass
Popular pytsk3 functions
- pytsk3.FS_Info
- pytsk3.get_version
- pytsk3.Img_Info
- pytsk3.Img_Info.__init__
- pytsk3.TSK_FS_ATTR_TYPE_NTFS_DATA
- pytsk3.TSK_FS_META_FLAG_ALLOC
- pytsk3.TSK_FS_META_TYPE_BLK
- pytsk3.TSK_FS_META_TYPE_CHR
- pytsk3.TSK_FS_META_TYPE_DIR
- pytsk3.TSK_FS_META_TYPE_FIFO
- pytsk3.TSK_FS_META_TYPE_LNK
- pytsk3.TSK_FS_META_TYPE_REG
- pytsk3.TSK_FS_META_TYPE_SOCK
- pytsk3.TSK_FS_NAME_TYPE_BLK
- pytsk3.TSK_FS_NAME_TYPE_DIR
- pytsk3.TSK_FS_NAME_TYPE_REG
- pytsk3.TSK_FS_TYPE_UNSUPP
- pytsk3.TSK_IMG_TYPE_EXTERNAL
- pytsk3.TSK_VS_PART_FLAG_ALLOC
- pytsk3.Volume_Info