return mft_entry_hist
########################################################################################################################
# MAIN
if __name__ == '__main__':
args = parse_args(sys.argv[1:])
usnjrnl_file = NamedTemporaryFile()
logfile_file = NamedTemporaryFile()
# Parse the MFT first
sector = BootSector(image_name=args.image,
offset_sectors=args.offset_sectors,
offset_bytes=args.offset_bytes,
sector_size=args.sector_size)
mft = MFT(image_name=args.image, boot_sector=sector)
mft.parse_all()
# get the inum (MFT entry number) of the $UsnJrnl --> located in $Extend|$INDEX_ROOT attribute
usn_jrnl_inum = mft.entries[11].\
attributes[AttributeTypeEnum.INDEX_ROOT][0].\
entries[AttributeTypeEnum.FILE_NAME]['$UsnJrnl'].\
file_reference_mft_entry
# carve out the logfile (inum 2) and store in local temporary file
mft.extract_data(inum=2, output_file=logfile_file.name, stream=0)
# carve out the $UsnJrnl (inum searched for above) and store in local temporary file
mft.extract_data(inum=usn_jrnl_inum,
output_file=usnjrnl_file.name,
stream=0)
