From 04736de821dcab3ddb9e1a4e953b71905ea18be6 Mon Sep 17 00:00:00 2001 From: Mike Cohen Date: Mon, 19 Aug 2024 00:52:00 +1000 Subject: [PATCH] Allow full path reassembly in USN parser to be disabled (#95) --- parser/context.go | 7 +++++++ parser/options.go | 4 ++++ parser/usn.go | 4 ++++ 3 files changed, 15 insertions(+) diff --git a/parser/context.go b/parser/context.go index a570453..59bd601 100644 --- a/parser/context.go +++ b/parser/context.go @@ -83,6 +83,13 @@ func (self *NTFSContext) SetOptions(options Options) { self.options = options } +func (self *NTFSContext) GetOptions() *Options { + self.mu.Lock() + defer self.mu.Unlock() + + return &self.options +} + func (self *NTFSContext) Close() { if debug { fmt.Printf(STATS.DebugString()) diff --git a/parser/options.go b/parser/options.go index 3dd68f5..e9339c2 100644 --- a/parser/options.go +++ b/parser/options.go @@ -17,6 +17,10 @@ type Options struct { // These path components will be added in front of each link // generated. PrefixComponents []string + + // Disable resolution of USN paths through the MFT. This is useful + // when there is no MFT to look at. + DisableFullPathResolution bool } func GetDefaultOptions() Options { diff --git a/parser/usn.go b/parser/usn.go index 39aca35..f97b37f 100644 --- a/parser/usn.go +++ b/parser/usn.go @@ -87,6 +87,10 @@ func (self *USN_RECORD) Links() []string { } func (self *USN_RECORD) _Links(depth int) []string { + if self.context.GetOptions().DisableFullPathResolution { + return []string{self.Filename()} + } + // Since this record could have meant a file deletion event // then resolving the actual MFT entry to a full path is less // reliable. It is more reliable to resolve the parent path,