Python: Documentation - DiskAnalyzer.MftAnalyzer

DiskAnalyzer.MftAnalyzer (version 1.0.0)

This package implements multiples libraries and tools to parse, analyze
and extract informations from disk on the live system.

Classes

_ctypes.Structure(_ctypes._CData)

ACEHeader
ACL
AttributeHeader
AttributeHeaderNonResident
AttributeHeaderResident
AttributeList
FileName
MFTEntryHeader
NonResidentAttribute
ResidentAttribute
SecurityDescriptor
StandardInformation
StandardInformationLess2K

class ACEHeader(_ctypes.Structure)

This class defines the MFT ACE header structure.

Method resolution order:: ACEHeader; _ctypes.Structure; _ctypes._CData; builtins.object

Methods defined here:

__str__(self): Return str(self).

Data descriptors defined here:

AccessMask

AceFlags

AceSize

AceType

__dict__: dictionary for instance variables

__weakref__: list of weak references to the object

Methods inherited from _ctypes.Structure:

__buffer__(self, flags, /): Return a buffer object that exposes the underlying memory of the object.

__init__(self, /, *args, **kwargs): Initialize self. See help(type(self)) for accurate signature.

Static methods inherited from _ctypes.Structure:

__new__(*args, **kwargs) class method of _ctypes.Structure: Create and return a new object. See help(type) for accurate signature.

Methods inherited from _ctypes._CData:

__ctypes_from_outparam__(self, /): default __ctypes_from_outparam__ method returns self.

__hash__(self, /): Return hash(self).

__reduce__(self, /): Helper for pickle.

__setstate__(self, dict, data, /)

class ACL(_ctypes.Structure)

This class defines the MFT Access Control List structure.

Method resolution order:: ACL; _ctypes.Structure; _ctypes._CData; builtins.object

Methods defined here:

__str__(self): Return str(self).

Data descriptors defined here:

AceCount

AclRevision

AclSize

Padding1

Padding2

__dict__: dictionary for instance variables

__weakref__: list of weak references to the object

Methods inherited from _ctypes.Structure:

__buffer__(self, flags, /): Return a buffer object that exposes the underlying memory of the object.

__init__(self, /, *args, **kwargs): Initialize self. See help(type(self)) for accurate signature.

Static methods inherited from _ctypes.Structure:

__new__(*args, **kwargs) class method of _ctypes.Structure: Create and return a new object. See help(type) for accurate signature.

Methods inherited from _ctypes._CData:

__ctypes_from_outparam__(self, /): default __ctypes_from_outparam__ method returns self.

__hash__(self, /): Return hash(self).

__reduce__(self, /): Helper for pickle.

__setstate__(self, dict, data, /)

class AttributeHeader(_ctypes.Structure)

This class defines the MFT attribute headers.

Method resolution order:: AttributeHeader; _ctypes.Structure; _ctypes._CData; builtins.object

Data descriptors defined here:

__dict__: dictionary for instance variables

__weakref__: list of weak references to the object

attribute_id

flags

length

name_length

name_offset

non_resident

type_id

Methods inherited from _ctypes.Structure:

__buffer__(self, flags, /): Return a buffer object that exposes the underlying memory of the object.

__init__(self, /, *args, **kwargs): Initialize self. See help(type(self)) for accurate signature.

Static methods inherited from _ctypes.Structure:

__new__(*args, **kwargs) class method of _ctypes.Structure: Create and return a new object. See help(type) for accurate signature.

Methods inherited from _ctypes._CData:

__ctypes_from_outparam__(self, /): default __ctypes_from_outparam__ method returns self.

__hash__(self, /): Return hash(self).

__reduce__(self, /): Helper for pickle.

__setstate__(self, dict, data, /)

class AttributeHeaderNonResident(_ctypes.Structure)

This class defines the full MFT non resident
attribute headers (value outside the MFT,
value > ~700 bytes).

Method resolution order:: AttributeHeaderNonResident; _ctypes.Structure; _ctypes._CData; builtins.object

Methods defined here:

parse_data_runs(self, cluster_size: int) -> List[Tuple[int, int]]: This method parses data runs (data: length, offset).

read_content(self, file: BufferedReader, ntfs_offset: int) -> bytearray: This method returns content as bytearray.

read_data_runs(self, file: BufferedReader, ntfs_offset: int) -> Iterable[bytes]: This generator yields content block by content block.

Data descriptors defined here:

__dict__: dictionary for instance variables

__weakref__: list of weak references to the object

allocated_size

attribute_id

compression_unit_size

data_run_offset

flags

initialized_size

last_vcn

length

name_length

name_offset

non_resident

real_size

reserved

starting_vcn

type_id

Methods inherited from _ctypes.Structure:

__buffer__(self, flags, /): Return a buffer object that exposes the underlying memory of the object.

__init__(self, /, *args, **kwargs): Initialize self. See help(type(self)) for accurate signature.

Static methods inherited from _ctypes.Structure:

__new__(*args, **kwargs) class method of _ctypes.Structure: Create and return a new object. See help(type) for accurate signature.

Methods inherited from _ctypes._CData:

__ctypes_from_outparam__(self, /): default __ctypes_from_outparam__ method returns self.

__hash__(self, /): Return hash(self).

__reduce__(self, /): Helper for pickle.

__setstate__(self, dict, data, /)

class AttributeHeaderResident(_ctypes.Structure)

This class defines the full MFT resident
attribute headers (value inside the MFT,
small value - ~700 bytes).

Method resolution order:: AttributeHeaderResident; _ctypes.Structure; _ctypes._CData; builtins.object

Data descriptors defined here:

__dict__: dictionary for instance variables

__weakref__: list of weak references to the object

attr_length

attr_offset

attribute_id

flags

indexed_flag

length

name_length

name_offset

non_resident

padding

type_id

Methods inherited from _ctypes.Structure:

__buffer__(self, flags, /): Return a buffer object that exposes the underlying memory of the object.

__init__(self, /, *args, **kwargs): Initialize self. See help(type(self)) for accurate signature.

Static methods inherited from _ctypes.Structure:

__new__(*args, **kwargs) class method of _ctypes.Structure: Create and return a new object. See help(type) for accurate signature.

Methods inherited from _ctypes._CData:

__ctypes_from_outparam__(self, /): default __ctypes_from_outparam__ method returns self.

__hash__(self, /): Return hash(self).

__reduce__(self, /): Helper for pickle.

__setstate__(self, dict, data, /)

class AttributeList(_ctypes.Structure)

This class defines the $ATTRIBUTE_LIST MFT attribute.

Method resolution order:: AttributeList; _ctypes.Structure; _ctypes._CData; builtins.object

Methods defined here:

__str__(self): Return str(self).

Data descriptors defined here:

AttributeId

BaseFileReference

NameLength

OffsetToName

RecordLength

StartingVCN

Type

__dict__: dictionary for instance variables

__weakref__: list of weak references to the object

Methods inherited from _ctypes.Structure:

__buffer__(self, flags, /): Return a buffer object that exposes the underlying memory of the object.

__init__(self, /, *args, **kwargs): Initialize self. See help(type(self)) for accurate signature.

Static methods inherited from _ctypes.Structure:

__new__(*args, **kwargs) class method of _ctypes.Structure: Create and return a new object. See help(type) for accurate signature.

Methods inherited from _ctypes._CData:

__ctypes_from_outparam__(self, /): default __ctypes_from_outparam__ method returns self.

__hash__(self, /): Return hash(self).

__reduce__(self, /): Helper for pickle.

__setstate__(self, dict, data, /)

class FileName(_ctypes.Structure)

This class defines the $FILE_NAME MFT attribute.

Method resolution order:: FileName; _ctypes.Structure; _ctypes._CData; builtins.object

Methods defined here:

__str__(self): Return str(self).

Data descriptors defined here:

AccessTime

AllocatedSize

CreationTime

FileNameLength

FileNameNamespace

Flags

MFTChangeTime

ModificationTime

ParentDirectory

RealSize

Reserved

__dict__: dictionary for instance variables

__weakref__: list of weak references to the object

Methods inherited from _ctypes.Structure:

__buffer__(self, flags, /): Return a buffer object that exposes the underlying memory of the object.

__init__(self, /, *args, **kwargs): Initialize self. See help(type(self)) for accurate signature.

Static methods inherited from _ctypes.Structure:

__new__(*args, **kwargs) class method of _ctypes.Structure: Create and return a new object. See help(type) for accurate signature.

Methods inherited from _ctypes._CData:

__ctypes_from_outparam__(self, /): default __ctypes_from_outparam__ method returns self.

__hash__(self, /): Return hash(self).

__reduce__(self, /): Helper for pickle.

__setstate__(self, dict, data, /)

class MFTEntryHeader(_ctypes.Structure)

This class defines the MFT entry structure.

Method resolution order:: MFTEntryHeader; _ctypes.Structure; _ctypes._CData; builtins.object

Data descriptors defined here:

__dict__: dictionary for instance variables

__weakref__: list of weak references to the object

align

allocated_entry_size

base_file_record

first_attr_offset

fixup_entries

fixup_offset

flags

hard_link_count

log_seq_number

mft_record_number

next_attr_id

sequence_number

signature

used_entry_size

Methods inherited from _ctypes.Structure:

__buffer__(self, flags, /): Return a buffer object that exposes the underlying memory of the object.

__init__(self, /, *args, **kwargs): Initialize self. See help(type(self)) for accurate signature.

Static methods inherited from _ctypes.Structure:

__new__(*args, **kwargs) class method of _ctypes.Structure: Create and return a new object. See help(type) for accurate signature.

Methods inherited from _ctypes._CData:

__ctypes_from_outparam__(self, /): default __ctypes_from_outparam__ method returns self.

__hash__(self, /): Return hash(self).

__reduce__(self, /): Helper for pickle.

__setstate__(self, dict, data, /)

class NonResidentAttribute(_ctypes.Structure)

This class defines the MFT non resident attribute
specific fields (value outside the MFT,
value > ~700 bytes).

Method resolution order:: NonResidentAttribute; _ctypes.Structure; _ctypes._CData; builtins.object

Data descriptors defined here:

__dict__: dictionary for instance variables

__weakref__: list of weak references to the object

allocated_size

compression_unit_size

data_run_offset

initialized_size

last_vcn

real_size

reserved

starting_vcn

Methods inherited from _ctypes.Structure:

__buffer__(self, flags, /): Return a buffer object that exposes the underlying memory of the object.

__init__(self, /, *args, **kwargs): Initialize self. See help(type(self)) for accurate signature.

Static methods inherited from _ctypes.Structure:

__new__(*args, **kwargs) class method of _ctypes.Structure: Create and return a new object. See help(type) for accurate signature.

Methods inherited from _ctypes._CData:

__ctypes_from_outparam__(self, /): default __ctypes_from_outparam__ method returns self.

__hash__(self, /): Return hash(self).

__reduce__(self, /): Helper for pickle.

__setstate__(self, dict, data, /)

class ResidentAttribute(_ctypes.Structure)

This class defines the MFT resident attribute
specific fields (value inside the MFT,
small value - ~700 bytes).

Method resolution order:: ResidentAttribute; _ctypes.Structure; _ctypes._CData; builtins.object

Methods defined here:

read_resident_data(self, data: bytes) -> bytes: This method reads data from MFT entry (resident data).

Data descriptors defined here:

__dict__: dictionary for instance variables

__weakref__: list of weak references to the object

flags

reserved

value_length

value_offset

Methods inherited from _ctypes.Structure:

__buffer__(self, flags, /): Return a buffer object that exposes the underlying memory of the object.

__init__(self, /, *args, **kwargs): Initialize self. See help(type(self)) for accurate signature.

Static methods inherited from _ctypes.Structure:

__new__(*args, **kwargs) class method of _ctypes.Structure: Create and return a new object. See help(type) for accurate signature.

Methods inherited from _ctypes._CData:

__ctypes_from_outparam__(self, /): default __ctypes_from_outparam__ method returns self.

__hash__(self, /): Return hash(self).

__reduce__(self, /): Helper for pickle.

__setstate__(self, dict, data, /)

class SecurityDescriptor(_ctypes.Structure)

This class defines the $SECURITY_DESCRIPTOR MFT attribute.

Method resolution order:: SecurityDescriptor; _ctypes.Structure; _ctypes._CData; builtins.object

Methods defined here:

__str__(self): Return str(self).

Data descriptors defined here:

ControlFlags

OffsetDACL

OffsetGroup

OffsetOwner

OffsetSACL

Padding1

Revision

__dict__: dictionary for instance variables

__weakref__: list of weak references to the object

Methods inherited from _ctypes.Structure:

__buffer__(self, flags, /): Return a buffer object that exposes the underlying memory of the object.

__init__(self, /, *args, **kwargs): Initialize self. See help(type(self)) for accurate signature.

Static methods inherited from _ctypes.Structure:

__new__(*args, **kwargs) class method of _ctypes.Structure: Create and return a new object. See help(type) for accurate signature.

Methods inherited from _ctypes._CData:

__ctypes_from_outparam__(self, /): default __ctypes_from_outparam__ method returns self.

__hash__(self, /): Return hash(self).

__reduce__(self, /): Helper for pickle.

__setstate__(self, dict, data, /)

class StandardInformation(_ctypes.Structure)

This class defines the $STANDARD_INFORMATION MFT attribute.

Method resolution order:: StandardInformation; _ctypes.Structure; _ctypes._CData; builtins.object

Methods defined here:

__str__(self): Return str(self).

Data descriptors defined here:

AccessTime

ClassId

CreationTime

FileAttributes

MFTChangeTime

MaxVersions

ModificationTime

OwnerId

QuotaCharged

SecurityId

USN

VersionNumber

__dict__: dictionary for instance variables

__weakref__: list of weak references to the object

Methods inherited from _ctypes.Structure:

__buffer__(self, flags, /): Return a buffer object that exposes the underlying memory of the object.

__init__(self, /, *args, **kwargs): Initialize self. See help(type(self)) for accurate signature.

Static methods inherited from _ctypes.Structure:

__new__(*args, **kwargs) class method of _ctypes.Structure: Create and return a new object. See help(type) for accurate signature.

Methods inherited from _ctypes._CData:

__ctypes_from_outparam__(self, /): default __ctypes_from_outparam__ method returns self.

__hash__(self, /): Return hash(self).

__reduce__(self, /): Helper for pickle.

__setstate__(self, dict, data, /)

class StandardInformationLess2K(_ctypes.Structure)

This class defines the $STANDARD_INFORMATION MFT attribute.

Method resolution order:: StandardInformationLess2K; _ctypes.Structure; _ctypes._CData; builtins.object

Methods defined here:

__str__(self): Return str(self).

Data descriptors defined here:

AccessTime

ClassId

CreationTime

FileAttributes

MFTChangeTime

MaxVersions

ModificationTime

VersionNumber

__dict__: dictionary for instance variables

__weakref__: list of weak references to the object

Methods inherited from _ctypes.Structure:

__buffer__(self, flags, /): Return a buffer object that exposes the underlying memory of the object.

__init__(self, /, *args, **kwargs): Initialize self. See help(type(self)) for accurate signature.

Static methods inherited from _ctypes.Structure:

__new__(*args, **kwargs) class method of _ctypes.Structure: Create and return a new object. See help(type) for accurate signature.

Methods inherited from _ctypes._CData:

__ctypes_from_outparam__(self, /): default __ctypes_from_outparam__ method returns self.

__hash__(self, /): Return hash(self).

__reduce__(self, /): Helper for pickle.

__setstate__(self, dict, data, /)

Functions

__annotate__(format, /)

analyze_mft( file: BufferedReader, mft_entry: MFTEntryHeader, mft_entry_raw_data: bytes, mft_entry_offset: int, mft_entry_size: int, ntfs_offset: int, cluster_size: int ) -> Iterable[Tuple[Tuple[MFTEntryHeader, bytes], int]]: This generator analyzes the full MFT using the disk/partition disk.
This generator yields each MFT entries, data, offset, size, first entry for the data block
(if True: offset and full size written in MFT $DATA else: modified size and offset).

file_extract( file: BufferedReader, mft_entry: MFTEntryHeader, destination_path: str, mft_entry_raw_data: bytes, ntfs_offset: int ) -> None: This function extracts the full MFT file content.

file_extract_from_csv( filepath: str, target: BufferedWriter, entries_csv: TextIOWrapper, full_path_csv: TextIOWrapper, file: BufferedReader ) -> None: This function extracts file content from CSV files.

get_data_positions( mft_entry: MFTEntryHeader, mft_entry_offset: int, ntfs_offset: int ) -> Iterable[Tuple[int, int, bool]]: This generator yields each pair offset and size with boolean for resident data.

get_file_content( file: BufferedReader, mft_entry: MFTEntryHeader, ntfs_offset: int, mft_entry_raw_data: bytes ) -> Iterable[bytes]: This generator yields FILE content blocks or resident data.

parse_mft(*args, **kwargs) -> Tuple[BufferedReader, MFTEntryHeader, bytes, int, int, int, int]: This function parses the MFT from the disk, using NTFS
partition and VBR (first sector).

resolve_parents(name: str, record_sequence: Tuple[int, int], base: str = None) -> str: This function returns the parents directory string representation.

write_file_from_csv( filepath: str, data: bytes, entries_csv: TextIOWrapper, full_path_csv: TextIOWrapper, file: BufferedRandom, offset: int = 0 ) -> None: This function writes files from CSV.

Data
		__all__ = ['ACEHeader', 'ACL', 'AttributeHeader', 'AttributeHeaderNonResident', 'AttributeHeaderResident', 'AttributeList', 'FileName', 'MFTEntryHeader', 'NonResidentAttribute', 'ResidentAttribute', 'SecurityDescriptor', 'StandardInformation', 'StandardInformationLess2K', 'get_file_content', 'parse_mft', 'file_extract', 'file_extract_from_csv', 'write_file_from_csv', 'get_data_positions', 'resolve_parents', ...] __author_email__ = 'mauricelambert434@gmail.com' __conditional_annotations__ = {0, 1, 2} __copyright__ = '\nDiskAnalyzer Copyright (C) 2025, 2026 Maurice...ome to redistribute it\nunder certain conditions.\n' __description__ = '\nThis package implements multiples libraries and...tract informations from disk on the live system.\n' __license__ = 'GPL-3.0 License' __maintainer__ = 'Maurice Lambert' __maintainer_email__ = 'mauricelambert434@gmail.com' __url__ = 'https://github.com/mauricelambert/DiskAnalyzer'

Author
		Maurice Lambert