parse_ntfs_i30

Plugin

ArgDescriptionType
deviceThe device file to open. This may be a full path for example C:\Windows - we will figure out the device automatically.string
filenameA raw image to open. You can also provide the accessor if using a raw image file.OSPath
accessorThe accessor to use.string
inodeThe MFT entry to parse in inode notation (5-144-1).string
mftThe MFT entry to parse.int64
mft_offsetThe offset to the MFT entry to parse.int64

Description

Scan the $I30 stream from an NTFS MFT entry.

This is similar in use to the parse_ntfs() function but parses the $I30 stream.