def process_mft_file(self):
        self.sizecheck()

        self.build_filepaths()

        # reset the file reading
        self.num_records = 0
        self.file_mft.seek(0)
        raw_record = self.file_mft.read(1024)

        if self.output != None and not self.json:
            self.file_csv.writerow(mft.mft_to_csv(None, True))
        elif self.output != None and self.json:
            self.header = mft.mft_to_csv(None, True)

        while raw_record != "":
            record = {}
            record = mft.parse_record(raw_record, False)

            record['filename'] = self.mft[self.num_records]['filename']

            self.do_output(record)

            self.num_records = self.num_records + 1

            if record['ads'] > 0:
                for i in range(0, record['ads']):
                    record_ads = record.copy()
                    record_ads['filename'] = record['filename'] + ':' + record['data_name', i]
                    self.do_output(record_ads)

            raw_record = self.file_mft.read(1024)
Beispiel #2
0
    def process_mft_file(self):
        self.sizecheck()

        self.build_filepaths()

        # reset the file reading
        self.num_records = 0
        self.file_mft.seek(0)
        raw_record = self.file_mft.read(1024)

        if self.output is not None and not self.json:
            self.file_csv.writerow(mft.mft_to_csv(None, True))
        elif self.output is not None and self.json:
            self.header = mft.mft_to_csv(None, True)

        while raw_record != "":
            record = mft.parse_record(raw_record, False)
            record['filename'] = self.mft[self.num_records]['filename']
            self.do_output(record)
            self.num_records += 1
            if record['ads'] > 0:
                for i in range(0, record['ads']):
                    record_ads = record.copy()
                    record_ads['filename'] = record['filename'] + ':' + record[
                        'data_name', i]
                    self.do_output(record_ads)
            raw_record = self.file_mft.read(1024)
        if self.json:
            close_json_writer(self.json_writer)
Beispiel #3
0
 def do_output(self, record):
     if self.output != None and not self.json:
         self.file_csv.writerow(mft.mft_to_csv(record, False))
     elif self.output != None and self.json:
         write_to_json(self.header, mft.mft_to_csv(record, False), self.json_writer)
     if self.num_records % (self.mftsize / 5) == 0 and self.num_records > 0:
         self.logger.info('Building MFT: {0:.0f}'.format(100.0 * self.num_records / self.mftsize) + '%')
Beispiel #4
0
    def do_output(self, record):

        if self.options.inmemory:
            self.fullmft[self.num_records] = record

        if self.options.output is not None:
            self.file_csv.writerow(mft.mft_to_csv(record, False, self.options))

        if self.options.json is not None:
            with open(self.options.json, 'a') as outfile:
                json.dump(mft.mft_to_json(record), outfile)
                outfile.write('\n')

        if self.options.csvtimefile is not None:
            self.file_csv_time.write(mft.mft_to_l2t(record))

        if self.options.bodyfile is not None:
            self.file_body.write(
                mft.mft_to_body(record, self.options.bodyfull,
                                self.options.bodystd))

        if self.options.progress:
            if self.num_records % (self.mftsize /
                                   5) == 0 and self.num_records > 0:
                print 'Building MFT: {0:.0f}'.format(
                    100.0 * self.num_records / self.mftsize) + '%'
Beispiel #5
0
    def process_mft_file(self):

        self.sizecheck()

        self.build_filepaths()

        # reset the file reading
        self.num_records = 0
        self.file_mft.seek(0)
        raw_record = self.file_mft.read(1024)

        if self.options.output is not None:
            self.file_csv.writerow(mft.mft_to_csv(None, True, self.options))

        while raw_record != "":
            record = mft.parse_record(raw_record, self.options)
            if self.options.debug:
                print record

            record['filename'] = self.mft[self.num_records]['filename']

            self.do_output(record)

            self.num_records += 1

            if record['ads'] > 0:
                for i in range(0, record['ads']):
                    #                         print "ADS: %s" % (record['data_name', i])
                    record_ads = record.copy()
                    record_ads['filename'] = record['filename'] + ':' + record[
                        'data_name', i]
                    self.do_output(record_ads)

            raw_record = self.file_mft.read(1024)
Beispiel #6
0
    def do_output(self, record):

        if self.options.inmemory:
            self.fullmft[self.num_records] = record

        if self.options.output is not None:
            rows = mft.mft_to_csv(record, False, self.options)
            mft_rows = list()
            for row in rows:
                if type(row) is str:
                    mft_rows.append(row.decode('utf8').encode('cp949'))
                else:
                    mft_rows.append(row)
            self.file_csv.writerow(mft_rows)

        if self.options.json is not None:
            with open(self.options.json, 'a') as outfile:
                json.dump(mft.mft_to_json(record), outfile)
                outfile.write('\n')

        if self.options.csvtimefile is not None:
            self.file_csv_time.write(mft.mft_to_l2t(record))

        if self.options.bodyfile is not None:
            self.file_body.write(
                mft.mft_to_body(record, self.options.bodyfull,
                                self.options.bodystd))

        if self.options.progress:
            if self.num_records % (self.mftsize /
                                   5) == 0 and self.num_records > 0:
                print 'Building MFT: {0:.0f}'.format(
                    100.0 * self.num_records / self.mftsize) + '%'
Beispiel #7
0
     def process_mft_file(self):
          
          self.sizecheck()
          		 
          self.build_filepaths()
          
          #reset the file reading
          self.num_records = 0
          self.file_mft.seek(0)
          raw_record = self.file_mft.read(1024)

          
          if self.options.output != None:
               self.file_csv.writerow(mft.mft_to_csv(None, True, self.options))                    

          while raw_record != "":

               record = {}
               record = mft.parse_record(raw_record, self.options)
               if self.options.debug: print record
               
               record['filename'] = self.mft[self.num_records]['filename']

               self.do_output(record)
               
               self.num_records = self.num_records + 1
               
               if record['ads'] > 0:
                    for i in range(0, record['ads']):
#                         print "ADS: %s" % (record['data_name', i])
                         record_ads = record.copy()
                         record_ads['filename'] = record['filename'] + ':' + record['data_name', i]
                         self.do_output(record_ads)

               raw_record = self.file_mft.read(1024)   
Beispiel #8
0
    def do_output(self, record):
        
        
        if self.options.inmemory:
            self.fullmft[self.num_records] = record

        if self.options.output is not None:
            self.file_csv.writerow(mft.mft_to_csv(record, False, self.options))
        
        if self.options.json is not None:    
            with open(self.options.json, 'a') as outfile:
                json.dump(mft.mft_to_json(record), outfile)
                outfile.write('\n')
            
        
 
    
            
        if self.options.csvtimefile is not None:
            self.file_csv_time.write(mft.mft_to_l2t(record))

        if self.options.bodyfile is not None:
            self.file_body.write(mft.mft_to_body(record, self.options.bodyfull, self.options.bodystd))

        if self.options.progress:
            if self.num_records % (self.mftsize / 5) == 0 and self.num_records > 0:
                print 'Building MFT: {0:.0f}'.format(100.0 * self.num_records / self.mftsize) + '%'
Beispiel #9
0
    def do_output(self, record):
        if self.output != None:
            self.file_csv.writerow(mft.mft_to_csv(record, False))

        if self.num_records % (self.mftsize / 5) == 0 and self.num_records > 0:
            self.logger.info('Building MFT: {0:.0f}'.format(100.0 *
                                                            self.num_records /
                                                            self.mftsize) +
                             '%')
Beispiel #10
0
     def process_mft_file(self):
          
          self.sizecheck()
          		 
          self.build_filepaths()
          
          #reset the file reading
          self.num_records = 0
          self.file_mft.seek(0)
          raw_record = self.file_mft.read(1024)

          
          if self.options.output != None:
               self.file_csv.writerow(mft.mft_to_csv(None, True))                    

          while raw_record != "":

               record = {}
               record = mft.parse_record(raw_record, self.options)
               if self.options.debug: print record
               
               record['filename'] = self.mft[self.num_records]['filename']
               
               if self.options.inmemory:
                    self.fullmft[self.num_records] = record

               if self.options.output != None:
                    self.file_csv.writerow(mft.mft_to_csv(record, False))

               if self.options.csvtimefile != None:
                    self.file_csv_time.write(mft.mft_to_l2t(record))

               if self.options.bodyfile != None:
                    self.file_body.write(mft.mft_to_body(record, self.options.bodyfull, self.options.bodystd))	

               if self.options.progress:
                    if self.num_records % (self.mftsize/5) == 0 and self.num_records > 0:
                         print 'Building MFT: {0:.0f}'.format(100.0*self.num_records/self.mftsize) + '%'

               self.num_records = self.num_records + 1
  
               raw_record = self.file_mft.read(1024)   
Beispiel #11
0
     def do_output(self, record):
          
          if self.options.inmemory:
               self.fullmft[self.num_records] = record

          if self.options.output != None:
               self.file_csv.writerow(mft.mft_to_csv(record, False, self.options))

          if self.options.csvtimefile != None:
               self.file_csv_time.write(mft.mft_to_l2t(record))

          if self.options.bodyfile != None:
               self.file_body.write(mft.mft_to_body(record, self.options.bodyfull, self.options.bodystd))	

          if self.options.progress:
               if self.num_records % (self.mftsize/5) == 0 and self.num_records > 0:
                    print 'Building MFT: {0:.0f}'.format(100.0*self.num_records/self.mftsize) + '%'
Beispiel #12
0
    def do_output(self, record):

        if self.options.inmemory:
            self.fullmft[self.num_records] = record

        if self.options.output is not None:
            all_record = []
            recordx = mft.mft_to_csv(record, False, self.options)
            if 'Corrupt' in recordx:
                pass
            elif recordx[8] == 'NoSIRecord':
                pass
            else:
                app = {}
                app['RecordNumber'] = recordx[0]
                app['Good'] = recordx[1]
                app['Active'] = recordx[2]
                app['Recordtype'] = recordx[3]
                app['SequenceNumber'] = recordx[4]
                #app['ParentFileRec']= recordx[5]
                app['ParentFileRec_Seq_'] = recordx[6]
                app['Filename_1'] = recordx[7]
                app['StdInfoCreationdate'] = recordx[8].replace(' ', 'T')
                try:
                    date = parser.parse(recordx[8]).isoformat()
                except:
                    date = '1700-01-01T00:00:00'
                    date = parser.parse(date)
                    date = date.isoformat()
                app['@timestamp'] = date
                app['StdInfoModificationdate'] = recordx[9].replace(' ', 'T')
                app['StdInfoAccessdate'] = recordx[10].replace(' ', 'T')
                app['StdInfoEntrydate'] = recordx[11].replace(' ', 'T')
                app['FNInfoCreationdate'] = recordx[12]
                app['FNInfoModificationdate'] = recordx[13].replace(' ', 'T')
                app['FNInfoAccessdate'] = recordx[14]
                app['FNInfoEntrydate'] = recordx[15]
                app['BirthVolumeID'] = recordx[16]
                app['BirthObjectID'] = recordx[17]
                app['BirthDomainID'] = recordx[18]
                app['Filename_2'] = recordx[19]
                app['FNInfoCreationdate'] = recordx[20].replace(' ', 'T')
                app['FNInfoModifydate'] = recordx[21].replace(' ', 'T')
                app['FNInfoAccessdate'] = recordx[22].replace(' ', 'T')
                app['FNInfoEntrydate'] = recordx[23].replace(' ', 'T')
                app['Filename_3'] = recordx[24]
                app['FNInfoCreationdate'] = recordx[25].replace(' ', 'T')
                app['FNInfoModifydate'] = recordx[26].replace(' ', 'T')
                app['FNInfoAccessdate'] = recordx[27].replace(' ', 'T')
                app['FNInfoEntrydate'] = recordx[28].replace(' ', 'T')
                app['Filename_4'] = recordx[29]
                app['FNInfoCreationdate'] = recordx[30].replace(' ', 'T')
                app['FNInfoModifydate'] = recordx[31].replace(' ', 'T')
                app['FNInfoAccessdate'] = recordx[32].replace(' ', 'T')
                app['FNInfoEntrydate'] = recordx[33].replace(' ', 'T')
                app['StandardInformation'] = recordx[34]
                app['AttributeList'] = recordx[35]
                app['Filename'] = recordx[36]
                app['ObjectID'] = recordx[37]
                app['VolumeName'] = recordx[38]
                app['VolumeInfo'] = recordx[39]
                app['Data'] = recordx[40]
                app['IndexRoot'] = recordx[41]
                app['IndexAllocation'] = recordx[42]
                app['Bitmap'] = recordx[43]
                app['ReparsePoint'] = recordx[44]
                app['EAInformation'] = recordx[45]
                app['EA'] = recordx[46]
                app['PropertySet'] = recordx[47]
                app['LoggedUtilityStream'] = recordx[48]
                app['Log/Notes'] = recordx[49]
                app['STFFNShift'] = recordx[50]
                app['uSecZero'] = recordx[51]
                app['ADS'] = recordx[52]
                app['PossibleCopy'] = recordx[53]
                app['PossibleVolumeMove'] = recordx[54]
                app = dict((k, str(v)) for k, v in app.iteritems())
                all_record.append(app)
                return app
            # self.file_csv.writerow(mft.mft_to_csv(record, False, self.options))

        if self.options.json is not None:
            #print record
            #print "\n"
            with open(self.options.json, 'a') as outfile:
                json.dump(mft.mft_to_json(record), outfile)
                outfile.write('\n')

        if self.options.csvtimefile is not None:
            self.file_csv_time.write(mft.mft_to_l2t(record))

        if self.options.bodyfile is not None:
            self.file_body.write(
                mft.mft_to_body(record, self.options.bodyfull,
                                self.options.bodystd))

        if self.options.progress:
            if self.num_records % (self.mftsize /
                                   5) == 0 and self.num_records > 0:
                print 'Building MFT: {0:.0f}'.format(
                    100.0 * self.num_records / self.mftsize) + '%'
    def do_output(self, record):
        if self.output != None:
            self.file_csv.writerow(mft.mft_to_csv(record, False))

        if self.num_records % (self.mftsize / 5) == 0 and self.num_records > 0:
            self.logger.info('Building MFT: {0:.0f}'.format(100.0 * self.num_records / self.mftsize) + '%')