def json_mft(self): for path_current_mft in self.__extract_mft(): if self.mft_export: session = _MftSession( self.logger, path_current_mft, path_current_mft.replace('.mft', '.json'), True) session.open_files() session.process_mft_file()
def json_mft(self): for path_current_mft in self.__extract_mft(): if self.mft_export: session = _MftSession(self.logger, path_current_mft, path_current_mft.replace('.mft', '.json') ,True) session.open_files() session.process_mft_file()
def csv_mft(self): """Exports the MFT from each local drives and creates a csv from it.""" # export on csv for path_current_mft in self.__extract_mft(): if self.mft_export: session = _MftSession( self.logger, path_current_mft, path_current_mft.replace('.mft', self.rand_ext)) session.open_files() session.process_mft_file()
def csv_mft(self): """Exports the MFT from each local drives and creates a csv from it.""" # export on csv for path_current_mft in self.__extract_mft(): if self.mft_export: session = _MftSession(self.logger, path_current_mft, path_current_mft.replace('.mft', self.rand_ext) ) session.open_files() session.process_mft_file()
def csv_mft(self): """Exports the MFT from each local drives and creates a csv from it.""" local_drives = get_local_drives() for local_drive in local_drives: self.logger.info('Exporting MFT for drive : ' + local_drive) ntfsdrive = file('\\\\.\\' + local_drive.replace('\\', ''), 'rb') if os.name == 'nt': # poor win can't seek a drive to individual bytes..only 1 sector at a time.. # convert MBR to stringio to make it seekable ntfs = ntfsdrive.read(512) ntfsfile = StringIO(ntfs) else: ntfsfile = ntfsdrive # parse the MBR for this drive to get the bytes per sector,sectors per cluster and MFT location. # bytes per sector ntfsfile.seek(0x0b) bytesPerSector = ntfsfile.read(WORDSIZE) bytesPerSector = struct.unpack( b'<h', binascii.unhexlify(binascii.hexlify(bytesPerSector)))[0] # sectors per cluster ntfsfile.seek(0x0d) sectorsPerCluster = ntfsfile.read(BYTESIZE) sectorsPerCluster = struct.unpack( b'<b', binascii.unhexlify(binascii.hexlify(sectorsPerCluster)))[0] # get mftlogical cluster number ntfsfile.seek(0x30) cno = ntfsfile.read(LONGLONGSIZE) mftClusterNumber = struct.unpack( b'<q', binascii.unhexlify(binascii.hexlify(cno)))[0] # MFT is then at NTFS + (bytesPerSector*sectorsPerCluster*mftClusterNumber) mftloc = long(bytesPerSector * sectorsPerCluster * mftClusterNumber) ntfsdrive.seek(0) ntfsdrive.seek(mftloc) mftraw = ntfsdrive.read(1024) # We've got the MFT record for the MFT itself. # parse it to the DATA section, decode the data runs and send the MFT over TCP mftDict = {} mftDict['attr_off'] = struct.unpack(b"<H", mftraw[20:22])[0] ReadPtr = mftDict['attr_off'] with open( self.output_dir + '\\' + self.computer_name + '_mft_' + local_drive[0] + '.mft', 'wb') as output: while ReadPtr < len(mftraw): ATRrecord = decodeATRHeader(mftraw[ReadPtr:]) if ATRrecord['type'] == 0x80: dataruns = mftraw[ReadPtr + ATRrecord['run_off']:ReadPtr + ATRrecord['len']] prevCluster = None prevSeek = 0 for length, cluster in decode_data_runs(dataruns): if prevCluster == None: ntfsdrive.seek(cluster * bytesPerSector * sectorsPerCluster) prevSeek = ntfsdrive.tell() r_data = ntfsdrive.read(length * bytesPerSector * sectorsPerCluster) output.write(r_data) prevCluster = cluster else: ntfsdrive.seek(prevSeek) newpos = prevSeek + (cluster * bytesPerSector * sectorsPerCluster) ntfsdrive.seek(newpos) prevSeek = ntfsdrive.tell() r_data = ntfsdrive.read(length * bytesPerSector * sectorsPerCluster) output.write(r_data) prevCluster = cluster break if ATRrecord['len'] > 0: ReadPtr = ReadPtr + ATRrecord['len'] # export on csv if self.mft_export: session = _MftSession( self.logger, self.output_dir + '\\' + self.computer_name + '_mft_' + local_drive[0] + '.mft', self.output_dir + '\\' + self.computer_name + '_mft_' + local_drive[0] + self.rand_ext) session.open_files() session.process_mft_file()
def csv_mft(self): """Exports the MFT from each local drives and creates a csv from it.""" local_drives = get_local_drives() for local_drive in local_drives: self.logger.info('Exporting MFT for drive : ' + local_drive) ntfsdrive = file('\\\\.\\' + local_drive.replace('\\', ''), 'rb') if os.name == 'nt': # poor win can't seek a drive to individual bytes..only 1 sector at a time.. # convert MBR to stringio to make it seekable ntfs = ntfsdrive.read(512) ntfsfile = StringIO(ntfs) else: ntfsfile = ntfsdrive # parse the MBR for this drive to get the bytes per sector,sectors per cluster and MFT location. # bytes per sector ntfsfile.seek(0x0b) bytesPerSector = ntfsfile.read(WORDSIZE) bytesPerSector = struct.unpack(b'<h', binascii.unhexlify(binascii.hexlify(bytesPerSector)))[0] # sectors per cluster ntfsfile.seek(0x0d) sectorsPerCluster = ntfsfile.read(BYTESIZE) sectorsPerCluster = struct.unpack(b'<b', binascii.unhexlify(binascii.hexlify(sectorsPerCluster)))[0] # get mftlogical cluster number ntfsfile.seek(0x30) cno = ntfsfile.read(LONGLONGSIZE) mftClusterNumber = struct.unpack(b'<q', binascii.unhexlify(binascii.hexlify(cno)))[0] # MFT is then at NTFS + (bytesPerSector*sectorsPerCluster*mftClusterNumber) mftloc = long(bytesPerSector * sectorsPerCluster * mftClusterNumber) ntfsdrive.seek(0) ntfsdrive.seek(mftloc) mftraw = ntfsdrive.read(1024) # We've got the MFT record for the MFT itself. # parse it to the DATA section, decode the data runs and send the MFT over TCP mftDict = {} mftDict['attr_off'] = struct.unpack(b"<H", mftraw[20:22])[0] ReadPtr = mftDict['attr_off'] with open(self.output_dir + '\\' + self.computer_name + '_mft_' + local_drive[0] + '.mft', 'wb') as output: while ReadPtr < len(mftraw): ATRrecord = decodeATRHeader(mftraw[ReadPtr:]) if ATRrecord['type'] == 0x80: dataruns = mftraw[ReadPtr + ATRrecord['run_off']:ReadPtr + ATRrecord['len']] prevCluster = None prevSeek = 0 for length, cluster in decode_data_runs(dataruns): if prevCluster == None: ntfsdrive.seek(cluster * bytesPerSector * sectorsPerCluster) prevSeek = ntfsdrive.tell() r_data = ntfsdrive.read(length * bytesPerSector * sectorsPerCluster) output.write(r_data) prevCluster = cluster else: ntfsdrive.seek(prevSeek) newpos = prevSeek + (cluster * bytesPerSector * sectorsPerCluster) ntfsdrive.seek(newpos) prevSeek = ntfsdrive.tell() r_data = ntfsdrive.read(length * bytesPerSector * sectorsPerCluster) output.write(r_data) prevCluster = cluster break if ATRrecord['len'] > 0: ReadPtr = ReadPtr + ATRrecord['len'] # export on csv if self.mft_export: session = _MftSession(self.logger, self.output_dir + '\\' + self.computer_name + '_mft_' + local_drive[0] + '.mft', self.output_dir + '\\' + self.computer_name + '_mft_' + local_drive[0] + '.csv') session.open_files() session.process_mft_file()