def main(): p = ArgumentParser() p.add_argument("-c", "--csv", help="Present results in CSV format", action="store_true") p.add_argument("-d", "--directory", help="Parse all PF files in a given directory") p.add_argument("-e", "--executed", help="Sort PF files by ALL execution times") p.add_argument("-f", "--file", help="Parse a given Prefetch file") args = p.parse_args() if args.file: if args.file.endswith(".pf"): if os.path.getsize(args.file) > 0: try: p = Prefetch(args.file) except Exception, e: print "[ - ] {}".format(e) sys.exit("[ - ] {} could not be parsed".format(args.file)) if args.csv: print "Last Executed, Executable Name, Run Count" print "{}, {}-{}, {}".format(p.timestamps[0], p.executableName, p.hash, p.runCount) else: p.prettyPrint() else: print "[ - ] {}: Zero byte Prefetch file".format(args.file)
def main(): p = ArgumentParser() p.add_argument("-c", "--csv", help="Present results in CSV format", action="store_true") p.add_argument("-d", "--directory", help="Parse all PF files in a given directory") p.add_argument("-e", "--executed", help="Sort PF files by ALL execution times") p.add_argument("-f", "--file", help="Parse a given Prefetch file") args = p.parse_args() if args.file: if args.file.endswith(".pf"): if os.path.getsize(args.file) > 0: try: p = Prefetch(args.file) except Exception as e: print("[ - ] {}".format(e)) sys.exit("[ - ] {} could not be parsed".format(args.file)) if args.csv: print("Last Executed, Executable Name, Run Count") print("{}, {}-{}, {}".format(p.timestamps[0], p.executableName, p.hash, p.runCount)) else: p.prettyPrint() else: print("[ - ] {}: Zero byte Prefetch file".format(args.file)) elif args.directory: if not (args.directory.endswith("/") or args.directory.endswith("\\")): sys.exit( "\n[ - ] When enumerating a directory, add a trailing slash\n") if os.path.isdir(args.directory): if args.csv: print( "Last Executed, MFT Seq Number, MFT Record Number, Executable Name, Run Count" ) for i in os.listdir(args.directory): if i.endswith(".pf"): if os.path.getsize(args.directory + i) > 0: try: p = Prefetch(args.directory + i) except Exception as e: print("[ - ] {} could not be parsed".format(i)) print("{},{},{},{},{}".format( p.timestamps[0], p.mftSeqNumber, p.mftRecordNumber, p.executableName, p.runCount)) else: print( "[ - ] {}: Zero-byte Prefetch File".format(i)) else: continue else: for i in os.listdir(args.directory): if i.endswith(".pf"): if os.path.getsize(args.directory + i): try: p = Prefetch(args.directory + i) p.prettyPrint() except Exception as e: print("[ - ] {} could not be parsed".format(i)) else: print("[ - ] Zero-byte Prefetch file") elif args.executed: print("Execution Time, File Executed") for i in sortTimestamps(args.executed): print("{}, {}".format(convertTimestamp(i[0]), i[1]))