Add versioning to MFT extension classes

Author: dgmcdona

volatility3/framework/plugins/windows/mftscan.py

@@ -49,6 +49,21 @@ def get_requirements(cls):
                 component=timeliner.TimeLinerInterface,
                 version=(1, 0, 0),
             ),
+            requirements.VersionRequirement(
+                name="mft_entry",
+                component=mft.MFTEntry,
+                version=(1, 0, 0),
+            ),
+            requirements.VersionRequirement(
+                name="mft_filename",
+                component=mft.MFTFileName,
+                version=(1, 0, 0),
+            ),
+            requirements.VersionRequirement(
+                name="mft_attribute",
+                component=mft.MFTAttribute,
+                version=(1, 0, 0),
+            ),
             requirements.VersionRequirement(
                 name="yarascanner", component=yarascan.YaraScanner, version=(2, 1, 0)
             ),

volatility3/framework/symbols/windows/extensions/mft.py

@@ -5,14 +5,20 @@
 import logging
 from typing import Dict, Iterator, List, Optional, Tuple
 
+from volatility3 import framework
 from volatility3.framework import constants, exceptions, interfaces, objects
 
 vollog = logging.getLogger(__name__)
 
 
-class MFTEntry(objects.StructType):
+class MFTEntry(objects.StructType, interfaces.configuration.VersionableInterface):
     """This represents the base MFT Record"""
 
+    _version = (1, 0, 0)
+    _required_framework_version = (2, 26, 0)
+
+    framework.require_interface_version(*_required_framework_version)
+
     def __init__(
         self,
         context: interfaces.context.ContextInterface,
@@ -144,19 +150,31 @@ def alternate_data_streams(self) -> Iterator["MFTAttribute"]:
                 yield attr
 
 
-class MFTFileName(objects.StructType):
+class MFTFileName(objects.StructType, interfaces.configuration.VersionableInterface):
     """This represents an MFT $FILE_NAME Attribute"""
 
+    _version = (1, 0, 0)
+
+    _required_framework_version = (2, 26, 0)
+
+    framework.require_interface_version(*_required_framework_version)
+
     def get_full_name(self) -> objects.String:
         output = self.Name.cast(
             "string", encoding="utf16", max_length=self.NameLength * 2, errors="replace"
         )
         return output
 
 
-class MFTAttribute(objects.StructType):
+class MFTAttribute(objects.StructType, interfaces.configuration.VersionableInterface):
     """This represents an MFT ATTRIBUTE"""
 
+    _version = (1, 0, 0)
+
+    _required_framework_version = (2, 26, 0)
+
+    framework.require_interface_version(*_required_framework_version)
+
     def get_resident_filename(self) -> Optional[objects.String]:
         # 4MB chosen as cutoff instead of 4KB to allow for recovery from format /L created file systems
         # Length as 512 as its 256*2, which is the maximum size for an entire file path, so this is even generous