This package implements multiples libraries and tools to parse, analyze
and extract informations from disk on the live system.

Classes
		_ctypes.Structure(_ctypes._CData) ACEHeader ACL AttributeHeader AttributeHeaderNonResident AttributeHeaderResident AttributeList FileName MFTEntryHeader NonResidentAttribute ResidentAttribute SecurityDescriptor StandardInformation StandardInformationLess2K   class ACEHeader(_ctypes.Structure)     This class defines the MFT ACE header structure.     Method resolution order: ACEHeader _ctypes.Structure _ctypes._CData builtins.object Methods defined here: __str__(self) Return str(self). Data descriptors defined here: AccessMask AceFlags AceSize AceType __dict__ dictionary for instance variables (if defined) __weakref__ list of weak references to the object (if defined) Methods inherited from _ctypes.Structure: __init__(self, /, *args, **kwargs) Initialize self.  See help(type(self)) for accurate signature. Static methods inherited from _ctypes.Structure: __new__(*args, **kwargs) from _ctypes.PyCStructType Create and return a new object.  See help(type) for accurate signature. Methods inherited from _ctypes._CData: __ctypes_from_outparam__(...) __hash__(self, /) Return hash(self). __reduce__(...) Helper for pickle. __setstate__(...)   class ACL(_ctypes.Structure)     This class defines the MFT Access Control List structure.     Method resolution order: ACL _ctypes.Structure _ctypes._CData builtins.object Methods defined here: __str__(self) Return str(self). Data descriptors defined here: AceCount AclRevision AclSize Padding1 Padding2 __dict__ dictionary for instance variables (if defined) __weakref__ list of weak references to the object (if defined) Methods inherited from _ctypes.Structure: __init__(self, /, *args, **kwargs) Initialize self.  See help(type(self)) for accurate signature. Static methods inherited from _ctypes.Structure: __new__(*args, **kwargs) from _ctypes.PyCStructType Create and return a new object.  See help(type) for accurate signature. Methods inherited from _ctypes._CData: __ctypes_from_outparam__(...) __hash__(self, /) Return hash(self). __reduce__(...) Helper for pickle. __setstate__(...)   class AttributeHeader(_ctypes.Structure)     This class defines the MFT attribute headers.     Method resolution order: AttributeHeader _ctypes.Structure _ctypes._CData builtins.object Data descriptors defined here: __dict__ dictionary for instance variables (if defined) __weakref__ list of weak references to the object (if defined) attribute_id flags length name_length name_offset non_resident type_id Methods inherited from _ctypes.Structure: __init__(self, /, *args, **kwargs) Initialize self.  See help(type(self)) for accurate signature. Static methods inherited from _ctypes.Structure: __new__(*args, **kwargs) from _ctypes.PyCStructType Create and return a new object.  See help(type) for accurate signature. Methods inherited from _ctypes._CData: __ctypes_from_outparam__(...) __hash__(self, /) Return hash(self). __reduce__(...) Helper for pickle. __setstate__(...)   class AttributeHeaderNonResident(_ctypes.Structure)     This class defines the full MFT non resident attribute headers (value outside the MFT, value > ~700 bytes).     Method resolution order: AttributeHeaderNonResident _ctypes.Structure _ctypes._CData builtins.object Methods defined here: parse_data_runs(self, cluster_size: int) -> List[Tuple[int, int]] This method parses data runs (data: length, offset). read_content(self, file: _io.BufferedReader, ntfs_offset: int) -> bytearray This method returns content as bytearray. read_data_runs(self, file: _io.BufferedReader, ntfs_offset: int) -> Iterable[bytes] This generator yields content block by content block. Data descriptors defined here: __dict__ dictionary for instance variables (if defined) __weakref__ list of weak references to the object (if defined) allocated_size attribute_id compression_unit_size data_run_offset flags initialized_size last_vcn length name_length name_offset non_resident real_size reserved starting_vcn type_id Methods inherited from _ctypes.Structure: __init__(self, /, *args, **kwargs) Initialize self.  See help(type(self)) for accurate signature. Static methods inherited from _ctypes.Structure: __new__(*args, **kwargs) from _ctypes.PyCStructType Create and return a new object.  See help(type) for accurate signature. Methods inherited from _ctypes._CData: __ctypes_from_outparam__(...) __hash__(self, /) Return hash(self). __reduce__(...) Helper for pickle. __setstate__(...)   class AttributeHeaderResident(_ctypes.Structure)     This class defines the full MFT resident attribute headers (value inside the MFT, small value - ~700 bytes).     Method resolution order: AttributeHeaderResident _ctypes.Structure _ctypes._CData builtins.object Data descriptors defined here: __dict__ dictionary for instance variables (if defined) __weakref__ list of weak references to the object (if defined) attr_length attr_offset attribute_id flags indexed_flag length name_length name_offset non_resident padding type_id Methods inherited from _ctypes.Structure: __init__(self, /, *args, **kwargs) Initialize self.  See help(type(self)) for accurate signature. Static methods inherited from _ctypes.Structure: __new__(*args, **kwargs) from _ctypes.PyCStructType Create and return a new object.  See help(type) for accurate signature. Methods inherited from _ctypes._CData: __ctypes_from_outparam__(...) __hash__(self, /) Return hash(self). __reduce__(...) Helper for pickle. __setstate__(...)   class AttributeList(_ctypes.Structure)     This class defines the $ATTRIBUTE_LIST MFT attribute.     Method resolution order: AttributeList _ctypes.Structure _ctypes._CData builtins.object Methods defined here: __str__(self) Return str(self). Data descriptors defined here: AttributeId BaseFileReference NameLength OffsetToName RecordLength StartingVCN Type __dict__ dictionary for instance variables (if defined) __weakref__ list of weak references to the object (if defined) Methods inherited from _ctypes.Structure: __init__(self, /, *args, **kwargs) Initialize self.  See help(type(self)) for accurate signature. Static methods inherited from _ctypes.Structure: __new__(*args, **kwargs) from _ctypes.PyCStructType Create and return a new object.  See help(type) for accurate signature. Methods inherited from _ctypes._CData: __ctypes_from_outparam__(...) __hash__(self, /) Return hash(self). __reduce__(...) Helper for pickle. __setstate__(...)   class FileName(_ctypes.Structure)     This class defines the $FILE_NAME MFT attribute.     Method resolution order: FileName _ctypes.Structure _ctypes._CData builtins.object Methods defined here: __str__(self) Return str(self). Data descriptors defined here: AccessTime AllocatedSize CreationTime FileNameLength FileNameNamespace Flags MFTChangeTime ModificationTime ParentDirectory RealSize Reserved __dict__ dictionary for instance variables (if defined) __weakref__ list of weak references to the object (if defined) Methods inherited from _ctypes.Structure: __init__(self, /, *args, **kwargs) Initialize self.  See help(type(self)) for accurate signature. Static methods inherited from _ctypes.Structure: __new__(*args, **kwargs) from _ctypes.PyCStructType Create and return a new object.  See help(type) for accurate signature. Methods inherited from _ctypes._CData: __ctypes_from_outparam__(...) __hash__(self, /) Return hash(self). __reduce__(...) Helper for pickle. __setstate__(...)   class MFTEntryHeader(_ctypes.Structure)     This class defines the MFT entry structure.     Method resolution order: MFTEntryHeader _ctypes.Structure _ctypes._CData builtins.object Data descriptors defined here: __dict__ dictionary for instance variables (if defined) __weakref__ list of weak references to the object (if defined) align allocated_entry_size base_file_record first_attr_offset fixup_entries fixup_offset flags hard_link_count log_seq_number mft_record_number next_attr_id sequence_number signature used_entry_size Methods inherited from _ctypes.Structure: __init__(self, /, *args, **kwargs) Initialize self.  See help(type(self)) for accurate signature. Static methods inherited from _ctypes.Structure: __new__(*args, **kwargs) from _ctypes.PyCStructType Create and return a new object.  See help(type) for accurate signature. Methods inherited from _ctypes._CData: __ctypes_from_outparam__(...) __hash__(self, /) Return hash(self). __reduce__(...) Helper for pickle. __setstate__(...)   class NonResidentAttribute(_ctypes.Structure)     This class defines the MFT non resident attribute specific fields (value outside the MFT, value > ~700 bytes).     Method resolution order: NonResidentAttribute _ctypes.Structure _ctypes._CData builtins.object Data descriptors defined here: __dict__ dictionary for instance variables (if defined) __weakref__ list of weak references to the object (if defined) allocated_size compression_unit_size data_run_offset initialized_size last_vcn real_size reserved starting_vcn Methods inherited from _ctypes.Structure: __init__(self, /, *args, **kwargs) Initialize self.  See help(type(self)) for accurate signature. Static methods inherited from _ctypes.Structure: __new__(*args, **kwargs) from _ctypes.PyCStructType Create and return a new object.  See help(type) for accurate signature. Methods inherited from _ctypes._CData: __ctypes_from_outparam__(...) __hash__(self, /) Return hash(self). __reduce__(...) Helper for pickle. __setstate__(...)   class ResidentAttribute(_ctypes.Structure)     This class defines the MFT resident attribute specific fields (value inside the MFT, small value - ~700 bytes).     Method resolution order: ResidentAttribute _ctypes.Structure _ctypes._CData builtins.object Data descriptors defined here: __dict__ dictionary for instance variables (if defined) __weakref__ list of weak references to the object (if defined) flags reserved value_length value_offset Methods inherited from _ctypes.Structure: __init__(self, /, *args, **kwargs) Initialize self.  See help(type(self)) for accurate signature. Static methods inherited from _ctypes.Structure: __new__(*args, **kwargs) from _ctypes.PyCStructType Create and return a new object.  See help(type) for accurate signature. Methods inherited from _ctypes._CData: __ctypes_from_outparam__(...) __hash__(self, /) Return hash(self). __reduce__(...) Helper for pickle. __setstate__(...)   class SecurityDescriptor(_ctypes.Structure)     This class defines the $SECURITY_DESCRIPTOR MFT attribute.     Method resolution order: SecurityDescriptor _ctypes.Structure _ctypes._CData builtins.object Methods defined here: __str__(self) Return str(self). Data descriptors defined here: ControlFlags OffsetDACL OffsetGroup OffsetOwner OffsetSACL Padding1 Revision __dict__ dictionary for instance variables (if defined) __weakref__ list of weak references to the object (if defined) Methods inherited from _ctypes.Structure: __init__(self, /, *args, **kwargs) Initialize self.  See help(type(self)) for accurate signature. Static methods inherited from _ctypes.Structure: __new__(*args, **kwargs) from _ctypes.PyCStructType Create and return a new object.  See help(type) for accurate signature. Methods inherited from _ctypes._CData: __ctypes_from_outparam__(...) __hash__(self, /) Return hash(self). __reduce__(...) Helper for pickle. __setstate__(...)   class StandardInformation(_ctypes.Structure)     This class defines the $STANDARD_INFORMATION MFT attribute.     Method resolution order: StandardInformation _ctypes.Structure _ctypes._CData builtins.object Methods defined here: __str__(self) Return str(self). Data descriptors defined here: AccessTime ClassId CreationTime FileAttributes MFTChangeTime MaxVersions ModificationTime OwnerId QuotaCharged SecurityId USN VersionNumber __dict__ dictionary for instance variables (if defined) __weakref__ list of weak references to the object (if defined) Methods inherited from _ctypes.Structure: __init__(self, /, *args, **kwargs) Initialize self.  See help(type(self)) for accurate signature. Static methods inherited from _ctypes.Structure: __new__(*args, **kwargs) from _ctypes.PyCStructType Create and return a new object.  See help(type) for accurate signature. Methods inherited from _ctypes._CData: __ctypes_from_outparam__(...) __hash__(self, /) Return hash(self). __reduce__(...) Helper for pickle. __setstate__(...)   class StandardInformationLess2K(_ctypes.Structure)     This class defines the $STANDARD_INFORMATION MFT attribute.     Method resolution order: StandardInformationLess2K _ctypes.Structure _ctypes._CData builtins.object Methods defined here: __str__(self) Return str(self). Data descriptors defined here: AccessTime ClassId CreationTime FileAttributes MFTChangeTime MaxVersions ModificationTime VersionNumber __dict__ dictionary for instance variables (if defined) __weakref__ list of weak references to the object (if defined) Methods inherited from _ctypes.Structure: __init__(self, /, *args, **kwargs) Initialize self.  See help(type(self)) for accurate signature. Static methods inherited from _ctypes.Structure: __new__(*args, **kwargs) from _ctypes.PyCStructType Create and return a new object.  See help(type) for accurate signature. Methods inherited from _ctypes._CData: __ctypes_from_outparam__(...) __hash__(self, /) Return hash(self). __reduce__(...) Helper for pickle. __setstate__(...)

Functions
		exit(status=None, /) Exit the interpreter by raising SystemExit(status).   If the status is omitted or None, it defaults to zero (i.e., success). If the status is an integer, it will be used as the system exit status. If it is another kind of object, it will be printed and the system exit status will be one (i.e., failure). filetime_to_datetime(filetime: int) -> datetime.datetime This function converts windows filetime to python datetime. get_attribute_data(attribute_header: Union[MftAnalyzer.AttributeHeaderResident, MftAnalyzer.AttributeHeaderNonResident], file: _io.BufferedReader, ntfs_offset: int) -> bytes This function returns attribute data from resident and non resident attribute. get_mft_content(file: _io.BufferedReader, mft_entry: MftAnalyzer.MFTEntryHeader, ntfs_offset: int) -> bytearray This generator yields MFT content blocks. get_mft_entry_size(value: int, cluster_size: int) -> int This function returns the MFT entry size. main() -> int The main function to starts the script from the command line. parse_access_mask(mask: int) -> List[str] This function returns human readable access flags from flags value. parse_ace_flags(flags: int) -> List[str] This function returns human readable ACE flags from flags value. parse_acl(data: bytes) -> MftAnalyzer.ACL This function parses ACL and ACEs. parse_attribute_flags(flags: int) -> List[str] This function returns the string values for MFT attribute flags. parse_attribute_list(attribute_header: Union[MftAnalyzer.AttributeHeaderResident, MftAnalyzer.AttributeHeaderNonResident], file: _io.BufferedReader, ntfs_offset: int) -> List[MftAnalyzer.AttributeList] This function parses a $ATTRIBUTE_LIST MFT attribute. parse_control_flags(flags: int) -> List[str] This function returns human readable control flags from flags value. parse_file_name(attribute_header: Union[MftAnalyzer.AttributeHeaderResident, MftAnalyzer.AttributeHeaderNonResident], file: _io.BufferedReader, ntfs_offset: int) -> None This function parses the $FILE_NAME MFT attribute. parse_file_name_flags(flags: int) -> List[str] This function returns the string values for MFT entry flags. parse_mft() -> Tuple[_io.BufferedReader, MftAnalyzer.MFTEntryHeader, int] This function parses the MFT from the disk, using NTFS partition and VBR (first sector). parse_mft_flags(flags: int) -> List[str] This function returns the string values for MFT entry flags. parse_security_descriptor(attribute_header: Union[MftAnalyzer.AttributeHeaderResident, MftAnalyzer.AttributeHeaderNonResident], file: _io.BufferedReader, ntfs_offset: int) -> MftAnalyzer.SecurityDescriptor This function parses the $SECURITY_DESCRIPTOR MFT attribute. parse_sid(data: bytes) -> Tuple[str, int] This function converts SID data to human readable format. parse_standard_information(attribute_header: Union[MftAnalyzer.AttributeHeaderResident, MftAnalyzer.AttributeHeaderNonResident], file: _io.BufferedReader, ntfs_offset: int) -> None This function parses the $STANDARD_INFORMATION MFT attribute. parse_standard_information_flags(flags: int) -> List[str] This function returns the string values for MFT entry flags. sizeof(...) sizeof(C type) -> integer sizeof(C instance) -> integer Return the size in bytes of a C instance walk_attributes(data: bytes, mft_entry: MftAnalyzer.MFTEntryHeader, entry_offset: int, cluster_size: int, file: _io.BufferedReader, ntfs_offset: int) -> None This function loops over one entry attributes.

Data
		ACCESS_MASK_FLAGS = {1: 'ReadData / ListDirectory', 2: 'WriteData / AddFile', 4: 'AppendData / AddSubdirectory', 8: 'ReadExtendedAttributes', 16: 'WriteExtendedAttributes', 32: 'Execute / Traverse', 64: 'DeleteChild', 128: 'ReadAttributes', 256: 'WriteAttributes', 65536: 'Delete', ...} ACE_FLAG_MAP = {1: 'Object Inherit', 2: 'Container Inherit', 4: 'No Propagate Inherit', 8: 'Inherit Only', 64: 'Audit Success', 128: 'Audit Failure'} ACE_TYPE_MAP = {0: 'Access Allowed', 1: 'Access Denied', 2: 'System Audit'} ATTRIBUTE_TYPES = {16: '$STANDARD_INFORMATION', 32: '$ATTRIBUTE_LIST', 48: '$FILE_NAME', 64: '$OBJECT_ID', 80: '$SECURITY_DESCRIPTOR', 96: '$VOLUME_NAME', 112: '$VOLUME_INFORMATION', 128: '$DATA', 144: '$INDEX_ROOT', 160: '$INDEX_ALLOCATION', ...} FILE_INFORMATION_ATTRIBUTE_FLAGS = {1: 'ReadOnly', 2: 'Hidden', 4: 'System', 32: 'Archive', 64: 'Device', 128: 'Normal', 256: 'Temporary', 512: 'Sparse File', 1024: 'Reparse Point', 2048: 'Compressed', ...} FILE_NAME_ATTRIBUTE_FLAGS = {1: 'Read-Only', 2: 'Hidden', 4: 'System', 32: 'Archive', 64: 'Device', 128: 'Normal', 256: 'Temporary', 512: 'Sparse File', 1024: 'Reparse Point', 2048: 'Compressed', ...} Iterable = typing.Iterable List = typing.List SECURITY_DESCRIPTOR_CONTROL_FLAGS = {1: 'Owner Defaulted', 2: 'Group Defaulted', 4: 'DACL Present', 8: 'DACL Defaulted', 16: 'SACL Present', 32: 'SACL Defaulted', 256: 'DACL Auto Inherit Req', 512: 'SACL Auto Inherit Req', 1024: 'DACL Auto Inherited', 2048: 'SACL Auto Inherited', ...} Tuple = typing.Tuple Union = typing.Union __author_email__ = 'mauricelambert434@gmail.com' __copyright__ = '\nDiskAnalyzer Copyright (C) 2025 Maurice Lambe...ome to redistribute it\nunder certain conditions.\n' __description__ = '\nThis package implements multiples libraries and t...tract informations from disk on the live system.\n' __license__ = 'GPL-3.0 License' __maintainer__ = 'Maurice Lambert' __maintainer_email__ = 'mauricelambert434@gmail.com' __url__ = 'https://github.com/mauricelambert/DiskAnalyzer' copyright = '\nDiskAnalyzer Copyright (C) 2025 Maurice Lambe...ome to redistribute it\nunder certain conditions.\n' license = 'GPL-3.0 License'

Author
		Maurice Lambert