# get the inum (MFT entry number) of the $UsnJrnl --> located in $Extend|$INDEX_ROOT attribute usn_jrnl_inum = mft.entries[11].\ attributes[AttributeTypeEnum.INDEX_ROOT][0].\ entries[AttributeTypeEnum.FILE_NAME]['$UsnJrnl'].\ file_reference_mft_entry # carve out the logfile (inum 2) and store in local temporary file mft.extract_data(inum=2, output_file=logfile_file.name, stream=0) # carve out the $UsnJrnl (inum searched for above) and store in local temporary file mft.extract_data(inum=usn_jrnl_inum, output_file=usnjrnl_file.name, stream=0) # pass the temporary logfile-file into the $LogFile class and parse it log_file = LogFile(dump_dir=args.dump_dir, file_name=logfile_file.name) log_file.parse_all() log_file.connect_transactions() # pass the temporary usnjrnl-file into the $UsnJrnl class and parse it usn_jrnl = UsnJrnl(usnjrnl_file.name) usn_jrnl.parse() # close the temporary files as all the needed data is in the local variables usn_jrnl and log_file usnjrnl_file.close() logfile_file.close() # $UsnJrnl records ordered by MFT entry usnjrnl_grouped = usn_jrnl.grouped_by_entry # If no inum has been given as input go through all the available data,
help='Number of pages to parse. If left out, all pages are parsed', dest='num', type=int) parser.add_argument('-q', help='Select what LSN\'s to output (parsed). Comma separated.', dest='lsns') parser.add_argument('-p', help='Put program in performance measurement mode', action="store_true") return parser.parse_args() if __name__ == '__main__': args = parse_args(sys.argv[1:]) data = LogFile(dump_dir=args.dump_dir, file_name=args.file_name, performance=args.p) data.parse_all(args.num) if args.export_type == 'parsed': data.export_parsed(export_file=args.export_file) elif args.export_type == 'csv': data.connect_transactions() data.export_csv(export_file=args.export_file) elif args.export_type == 'transaction': data.connect_transactions() #data.print_transactions(export_file=args.export_file) #data.print_faulty_transactions(export_file=args.export_file) data.export_transactions(export_file=args.export_file) elif args.export_type == 'parsedlsns': data.connect_transactions() data.export_parsed_lsns(export_file=args.export_file, lsn_numbers=[int(num) for num in args.lsns.split(',')])
mft = MFT(image_name=args.image, boot_sector=sector) mft.parse_all() # get the inum (MFT entry number) of the $UsnJrnl --> located in $Extend|$INDEX_ROOT attribute usn_jrnl_inum = mft.entries[11].\ attributes[AttributeTypeEnum.INDEX_ROOT][0].\ entries[AttributeTypeEnum.FILE_NAME]['$UsnJrnl'].\ file_reference_mft_entry # carve out the logfile (inum 2) and store in local temporary file mft.extract_data(inum=2, output_file=logfile_file.name, stream=0) # carve out the $UsnJrnl (inum searched for above) and store in local temporary file mft.extract_data(inum=usn_jrnl_inum, output_file=usnjrnl_file.name, stream=0) # pass the temporary logfile-file into the $LogFile class and parse it log_file = LogFile(dump_dir=args.dump_dir, file_name=logfile_file.name) log_file.parse_all() log_file.connect_transactions() # pass the temporary usnjrnl-file into the $UsnJrnl class and parse it usn_jrnl = UsnJrnl(usnjrnl_file.name) usn_jrnl.parse() # close the temporary files as all the needed data is in the local variables usn_jrnl and log_file usnjrnl_file.close() logfile_file.close() # $UsnJrnl records ordered by MFT entry usnjrnl_grouped = usn_jrnl.grouped_by_entry # If no inum has been given as input go through all the available data,
type=int) parser.add_argument( '-q', help='Select what LSN\'s to output (parsed). Comma separated.', dest='lsns') parser.add_argument('-p', help='Put program in performance measurement mode', action="store_true") return parser.parse_args() if __name__ == '__main__': args = parse_args(sys.argv[1:]) data = LogFile(dump_dir=args.dump_dir, file_name=args.file_name, performance=args.p) data.parse_all(args.num) if args.export_type == 'parsed': data.export_parsed(export_file=args.export_file) elif args.export_type == 'csv': data.connect_transactions() data.export_csv(export_file=args.export_file) elif args.export_type == 'transaction': data.connect_transactions() #data.print_transactions(export_file=args.export_file) #data.print_faulty_transactions(export_file=args.export_file) data.export_transactions(export_file=args.export_file) elif args.export_type == 'parsedlsns': data.connect_transactions()