1

我正在尝试提取主文件表 (MFT) 的内容。我已经从我的 NTFS 卷中复制了 MFT 并将其保存为 .bin 文件。现在我正在尝试使用unpackPython 中提供的函数来读取这个文件。我正在读取为存储在文件记录的文件名属性中的实际文件大小分配的 8 位,如下所示

d['real_fsize'] = struct.unpack("<d",s[48:56])[0]

我面临的问题是我得到的文件大小是 3.5e-323。MFT 以字节为单位保存文件大小,但我得到的答案似乎很荒谬。那么有什么办法可以纠正吗?

4

2 回答 2

1

The file name attribute is not accurate to display file size correctly. As I understand it, it's updated when the file is viewed in Windows explorer because the file name attribute is part of the INDX blocks for folders. So it's easier when you navigate to show what you have in the directory tree than to re-parse the file record to find it's size. There are also other sizes in the file name attribute structure that refer to the attribute's name and the actual file name size.

The accurate size of the file is given by the DATA attribute (type 0x80) and a file might have multiple data attributes. The unnamed DATA attributes are the main content of the file.

于 2015-05-14T11:06:34.547 回答
0

您正在尝试将整数 (a ULONGLONG) 读取为double浮点值,这将产生虚假结果。

代替d(for double) 结构格式,使用Q(for QWORD):

d['real_fsize'], = struct.unpack("<Q", s[48:56])

你应该看到一个合理的值。

于 2018-07-15T01:32:45.870 回答