alternate data streams, print data

[theflakes]

Hello and thanks for this crate.

I'm working on a file forensic tool. I'm able to get all alternate data streams and their names. But I'm struggling figuring out how to get to the data for each. Below is as far as I've gotten. Just not sure how to reference the data part of this structure.

let stream = attribute.value(fs)?;
println!("{:?}", stream);

Output is: Resident(NtfsResidentAttributeValue { data: [34, 116, 104, 105, 115, 32, 105, 115, 32, 101, 118, 105, 108, 34, 32, 13, 10], position: NtfsPosition(Some(3253758424)), stream_position: 0 })

I apologize as I'm not a developer, just a hacker. Any tips would be greatly appreciated.

This is the tool I'm working on: https://github.com/theflakes/fmd

thanks

[ColinFinck]

Hi! The NtfsAttributeValue object you got via attribute.value(fs)? implements the NtfsReadSeek trait to read the actual attribute value or move the read cursor inside the data stream.
The ntfs-shell example uses it here:

ntfs/examples/ntfs-shell/main.rs

Lines 528 to 537 in 9348d72

	let mut buf = [0u8; 4096];
	loop {
	let bytes_read = data_value.read(&mut info.fs, &mut buf)?;
	if bytes_read == 0 {
	break;
	}
	output_file.write(&buf[..bytes_read])?;
	}

In fact, NtfsReadSeek is also implemented for the more specific attribute value structures (such as NtfsResidentAttributeValue).

BONUS: If you need an object that implements the std::io-compatible Read and Seek traits, you can use the attach method of NtfsAttributeValue, which returns such an object.
Due to the way Read and Seek are defined, this requires the returned object to mutably borrow fs. To use fs for something else again, you can either let the returned object go out of scope or use its detach method to retrieve the original NtfsAttributeValue again.

[theflakes]

Thank you, this really helped.