return mft_entry_hist ######################################################################################################################## # MAIN if __name__ == '__main__': args = parse_args(sys.argv[1:]) usnjrnl_file = NamedTemporaryFile() logfile_file = NamedTemporaryFile() # Parse the MFT first sector = BootSector(image_name=args.image, offset_sectors=args.offset_sectors, offset_bytes=args.offset_bytes, sector_size=args.sector_size) mft = MFT(image_name=args.image, boot_sector=sector) mft.parse_all() # get the inum (MFT entry number) of the $UsnJrnl --> located in $Extend|$INDEX_ROOT attribute usn_jrnl_inum = mft.entries[11].\ attributes[AttributeTypeEnum.INDEX_ROOT][0].\ entries[AttributeTypeEnum.FILE_NAME]['$UsnJrnl'].\ file_reference_mft_entry # carve out the logfile (inum 2) and store in local temporary file mft.extract_data(inum=2, output_file=logfile_file.name, stream=0) # carve out the $UsnJrnl (inum searched for above) and store in local temporary file mft.extract_data(inum=usn_jrnl_inum, output_file=usnjrnl_file.name, stream=0)