Year of Python (YOP) – Week 10

09Mar15

Hello Reader!

Well we’ve hit week ten, and this will be the third VBR script in this “mini series”.  This time I’ve written a snippet of code that will parse an NTFS VBR.

Again the code overall follows the same basic structure as the FAT VBR’s, but NTFS has some different structure once you get 32 bytes into it…

For example, the total number of sectors in a VBR is an eight byte value, versus a four byte value.  Another difference is at sector offset 48 for eight bytes is the sector address of the $MFT, which is an important system file on an NTFS file system.

The overall idea for this larger program would be able to point it at a disk image (or even a disk if you want) and the program would parse out the master boot record, follow the partition settings to the location of the start of each partition, and then parse the VBR’s of each of those partitions.  I might even stretch it further and if it’s an NTFS file system, locate the $MFT file and parse that out as well.  However for the $MFT I’ll probably just incorporate analyzeMFT as a module and parse the file using that.

Until next week!

https://github.com/CdtDelta/YOP

Advertisements


One Response to “Year of Python (YOP) – Week 10”

  1. 1 Rudy

    Excellent work and keep it up! This is motivating me to do something similar on my end.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: