From 4eb72316bdca2277248ea3802a68d4274432ad09 Mon Sep 17 00:00:00 2001 From: forensicmatt Date: Fri, 6 Sep 2019 18:13:08 -0600 Subject: Added MftEntry::from_buffer_skip_fixup() Added MftEntry::from_buffer_skip_fixup() to get a MftEntry from a buffer that does not have fixup values applied. --- src/entry.rs | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/src/entry.rs b/src/entry.rs index a4e3919..a0a4a99 100644 --- a/src/entry.rs +++ b/src/entry.rs @@ -187,6 +187,29 @@ impl MftEntry { }) } + /// Initializes an MFT Entry from a buffer but skips applying fixups + /// It is not recommended to use this function unless you know what you are doing. + /// The main purpose of it is for use when you have buffers that already have fixup + /// already applied. For example, using Windows API + /// (https://docs.microsoft.com/en-us/windows/win32/api/winioctl/ni-winioctl-fsctl_get_ntfs_file_record) + pub fn from_buffer_skip_fixup(buffer: Vec, entry_number: u64) -> Result { + let mut cursor = Cursor::new(&buffer); + // Get Header + let entry_header = EntryHeader::from_reader(&mut cursor, entry_number)?; + trace!("Number of sectors: {:#?}", entry_header); + + if !entry_header.is_valid() { + return Err(err::Error::InvalidEntrySignature { + bad_sig: entry_header.signature.to_vec() + }); + } + + Ok(MftEntry { + header: entry_header, + data: buffer, + }) + } + /// Retrieves most human-readable representation of a file path entry. /// Will prefer `Win32` file name attributes, and fallback to `Dos` paths. pub fn find_best_name_attribute(&self) -> Option { -- cgit v1.2.3 From 65785ba2fc5dcf5589dfad40d5693d3bba1e6369 Mon Sep 17 00:00:00 2001 From: forensicsmatt Date: Sat, 14 Sep 2019 08:23:27 -0600 Subject: Better doc; Use ensure! for error return; Better doc; Use ensure! for error return; --- src/entry.rs | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/src/entry.rs b/src/entry.rs index a0a4a99..f1b2a63 100644 --- a/src/entry.rs +++ b/src/entry.rs @@ -187,22 +187,21 @@ impl MftEntry { }) } - /// Initializes an MFT Entry from a buffer but skips applying fixups - /// It is not recommended to use this function unless you know what you are doing. - /// The main purpose of it is for use when you have buffers that already have fixup - /// already applied. For example, using Windows API - /// (https://docs.microsoft.com/en-us/windows/win32/api/winioctl/ni-winioctl-fsctl_get_ntfs_file_record) + /// Initializes an MFT Entry from a buffer but skips checking and fixing the + /// fixup array. This will throw InvalidEntrySignature error if the entry header + /// is not valid. pub fn from_buffer_skip_fixup(buffer: Vec, entry_number: u64) -> Result { let mut cursor = Cursor::new(&buffer); // Get Header let entry_header = EntryHeader::from_reader(&mut cursor, entry_number)?; trace!("Number of sectors: {:#?}", entry_header); - if !entry_header.is_valid() { - return Err(err::Error::InvalidEntrySignature { + ensure!( + entry_header.is_valid(), + err::InvalidEntrySignature { bad_sig: entry_header.signature.to_vec() - }); - } + } + ); Ok(MftEntry { header: entry_header, -- cgit v1.2.3