def build_filepaths(self): # reset the file reading self.file_mft.seek(0) self.num_records = 0 # 1024 is valid for current version of Windows but should really get this value from somewhere raw_record = self.file_mft.read(1024) while raw_record != "": record = {} minirec = {} record = mft.parse_record(raw_record, self.options) if self.options.debug: print record minirec['filename'] = record['filename'] minirec['fncnt'] = record['fncnt'] if record['fncnt'] == 1: minirec['par_ref'] = record['fn',0]['par_ref'] minirec['name'] = record['fn',0]['name'] if record['fncnt'] > 1: minirec['par_ref'] = record['fn',0]['par_ref'] minirec['name'] = record['fn', record['fncnt']-1]['name'] self.mft[self.num_records] = minirec if self.options.progress: if self.num_records % (self.mftsize/5) == 0 and self.num_records > 0: print 'Building Filepaths: {0:.0f}'.format(100.0*self.num_records/self.mftsize) + '%' self.num_records = self.num_records + 1 raw_record = self.file_mft.read(1024) self.gen_filepaths()
def process_mft_file(self): self.sizecheck() self.build_filepaths() # reset the file reading self.num_records = 0 self.file_mft.seek(0) raw_record = self.file_mft.read(1024) if self.options.output is not None: self.file_csv.writerow(mft.mft_to_csv(None, True, self.options)) while raw_record != "": record = mft.parse_record(raw_record, self.options) if self.options.debug: print record record['filename'] = self.mft[self.num_records]['filename'] self.do_output(record) self.num_records += 1 if record['ads'] > 0: for i in range(0, record['ads']): # print "ADS: %s" % (record['data_name', i]) record_ads = record.copy() record_ads['filename'] = record['filename'] + ':' + record[ 'data_name', i] self.do_output(record_ads) raw_record = self.file_mft.read(1024)
def process_mft_file(self): self.sizecheck() self.build_filepaths() #reset the file reading self.num_records = 0 self.file_mft.seek(0) raw_record = self.file_mft.read(1024) if self.options.output != None: self.file_csv.writerow(mft.mft_to_csv(None, True, self.options)) while raw_record != "": record = {} record = mft.parse_record(raw_record, self.options) if self.options.debug: print record record['filename'] = self.mft[self.num_records]['filename'] self.do_output(record) self.num_records = self.num_records + 1 if record['ads'] > 0: for i in range(0, record['ads']): # print "ADS: %s" % (record['data_name', i]) record_ads = record.copy() record_ads['filename'] = record['filename'] + ':' + record['data_name', i] self.do_output(record_ads) raw_record = self.file_mft.read(1024)
def process_mft_file(self): self.sizecheck() self.build_filepaths() # reset the file reading self.num_records = 0 self.file_mft.seek(0) raw_record = self.file_mft.read(1024) if self.output is not None and not self.json: self.file_csv.writerow(mft.mft_to_csv(None, True)) elif self.output is not None and self.json: self.header = mft.mft_to_csv(None, True) while raw_record != "": record = mft.parse_record(raw_record, False) record['filename'] = self.mft[self.num_records]['filename'] self.do_output(record) self.num_records += 1 if record['ads'] > 0: for i in range(0, record['ads']): record_ads = record.copy() record_ads['filename'] = record['filename'] + ':' + record[ 'data_name', i] self.do_output(record_ads) raw_record = self.file_mft.read(1024) if self.json: close_json_writer(self.json_writer)
def build_filepaths(self): # reset the file reading self.file_mft.seek(0) self.num_records = 0 # 1024 is valid for current version of Windows but should really get this value from somewhere raw_record = self.file_mft.read(1024) while raw_record: minirec = {} record = mft.parse_record(raw_record, debug=self.debug) minirec['filename'] = record['filename'] minirec['fncnt'] = record['fncnt'] if record['fncnt'] == 1: minirec['par_ref'] = record['fn', 0]['par_ref'] minirec['name'] = record['fn', 0]['name'] if record['fncnt'] > 1: minirec['par_ref'] = record['fn', 0]['par_ref'] for i in (0, record['fncnt'] - 1): # print record['fn',i] if record['fn', i]['nspace'] == 0x1 or record[ 'fn', i]['nspace'] == 0x3: minirec['name'] = record['fn', i]['name'] if minirec.get('name') is None: minirec['name'] = record['fn', record['fncnt'] - 1]['name'] self.mft[self.num_records] = minirec self.num_records += 1 raw_record = self.file_mft.read(1024) self.gen_filepaths()
def process_mft_file(self): self.sizecheck() self.build_filepaths() # reset the file reading self.num_records = 0 self.file_mft.seek(0) raw_record = self.file_mft.read(1024) if self.output != None and not self.json: self.file_csv.writerow(mft.mft_to_csv(None, True)) elif self.output != None and self.json: self.header = mft.mft_to_csv(None, True) while raw_record != "": record = {} record = mft.parse_record(raw_record, False) record['filename'] = self.mft[self.num_records]['filename'] self.do_output(record) self.num_records = self.num_records + 1 if record['ads'] > 0: for i in range(0, record['ads']): record_ads = record.copy() record_ads['filename'] = record['filename'] + ':' + record['data_name', i] self.do_output(record_ads) raw_record = self.file_mft.read(1024)
def plaso_process_mft_file(self): # TODO - Add ADS support .... self.build_filepaths() # reset the file reading self.num_records = 0 self.file_mft.seek(0) raw_record = self.file_mft.read(1024) while raw_record != "": record = mft.parse_record(raw_record, False) record['filename'] = self.mft[self.num_records]['filename'] self.fullmft[self.num_records] = record self.num_records += 1 raw_record = self.file_mft.read(1024)
def build_seq(self, record_seq): file_handle = self.file_mft # file_handle = open(self.options.filename, 'rb') file_handle.seek(record_seq * 1024, 0) raw_record = file_handle.read(1024) record = {} minirec = {} # file deleted if not (struct.unpack("<H", raw_record[22:24])[0] & 0x0001): minirec['name'] = "FILE_DELETED" minirec['path'] = "/" minirec['par_ref'] = 5 # locked in function run already. self.mft[record_seq] = minirec self.mft_seqs_flag_list[record_seq] = 2 return record = mft.parse_record(record, raw_record, self.options) record_num = record['recordnum'] assert record_num == 0 or record_seq == record_num if record['fncnt'] == 1: minirec['par_ref'] = record['fn', 0]['par_ref'] minirec['name'] = record['fn', 0]['name'] elif record['fncnt'] > 1: minirec['par_ref'] = record['fn', 0][ 'par_ref'] # TODO: check hard link files for i in (0, record['fncnt'] - 1): if (record['fn', i]['nspace'] == 0x1 or record['fn', i]['nspace'] == 0x3): minirec['name'] = record['fn', i]['name'] if minirec.get('name') is None: minirec['name'] = record['fn', record['fncnt'] - 1]['name'] if record['fncnt'] > 0: self.mft[record_seq] = minirec # self.get_folder_path(record_seq, record_seq) # skip from loop # self.mft_seqs_flag_list[record_seq] = 2 # path is unknow, cannot submit else: minirec['name'] = "BAD_NAME" minirec['path'] = "/" minirec['par_ref'] = 5 self.mft[record_seq] = minirec self.mft_seqs_flag_list[record_seq] = 2
def build_seq(self, record_seq): file_handle = self.file_mft # file_handle = open(self.options.filename, 'rb') file_handle.seek(record_seq * 1024, 0) raw_record = file_handle.read(1024) record = {} minirec = {} # file deleted if not (struct.unpack("<H", raw_record[22:24])[0] & 0x0001): minirec['name'] = "FILE_DELETED" minirec['path'] = "/" minirec['par_ref'] = 5 # locked in function run already. self.mft[record_seq] = minirec self.mft_seqs_flag_list[record_seq] = 2 return record = mft.parse_record(record, raw_record, self.options) record_num = record['recordnum'] assert record_num == 0 or record_seq == record_num if record['fncnt'] == 1: minirec['par_ref'] = record['fn', 0]['par_ref'] minirec['name'] = record['fn', 0]['name'] elif record['fncnt'] > 1: minirec['par_ref'] = record['fn', 0]['par_ref'] # TODO: check hard link files for i in (0, record['fncnt'] - 1): if (record['fn', i]['nspace'] == 0x1 or record['fn', i]['nspace'] == 0x3): minirec['name'] = record['fn', i]['name'] if minirec.get('name') is None: minirec['name'] = record['fn', record['fncnt'] - 1]['name'] if record['fncnt'] > 0: self.mft[record_seq] = minirec # self.get_folder_path(record_seq, record_seq) # skip from loop # self.mft_seqs_flag_list[record_seq] = 2 # path is unknow, cannot submit else: minirec['name'] = "BAD_NAME" minirec['path'] = "/" minirec['par_ref'] = 5 self.mft[record_seq] = minirec self.mft_seqs_flag_list[record_seq] = 2
def build_filepaths(self): # reset the file reading self.file_mft.seek(0) self.num_records = 0 # 1024 is valid for current version of Windows but should really get this value from somewhere raw_record = self.file_mft.read(1024) while raw_record != "": record = {} minirec = {} record = mft.parse_record(raw_record, self.options) if self.options.debug: print record minirec['filename'] = record['filename'] minirec['fncnt'] = record['fncnt'] if record['fncnt'] == 1: minirec['par_ref'] = record['fn', 0]['par_ref'] minirec['name'] = record['fn', 0]['name'] if record['fncnt'] > 1: minirec['par_ref'] = record['fn', 0]['par_ref'] for i in (0, record['fncnt'] - 1): #print record['fn',i] if (record['fn', i]['nspace'] == 0x1 or record['fn', i]['nspace'] == 0x3): minirec['name'] = record['fn', i]['name'] if (minirec.get('name') == None): minirec['name'] = record['fn', record['fncnt'] - 1]['name'] self.mft[self.num_records] = minirec if self.options.progress: if self.num_records % (self.mftsize / 5) == 0 and self.num_records > 0: print 'Building Filepaths: {0:.0f}'.format( 100.0 * self.num_records / self.mftsize) + '%' self.num_records = self.num_records + 1 raw_record = self.file_mft.read(1024) self.gen_filepaths()
def process_mft_file(self): self.sizecheck() self.build_filepaths() #reset the file reading self.num_records = 0 self.file_mft.seek(0) raw_record = self.file_mft.read(1024) if self.options.output != None: self.file_csv.writerow(mft.mft_to_csv(None, True)) while raw_record != "": record = {} record = mft.parse_record(raw_record, self.options) if self.options.debug: print record record['filename'] = self.mft[self.num_records]['filename'] if self.options.inmemory: self.fullmft[self.num_records] = record if self.options.output != None: self.file_csv.writerow(mft.mft_to_csv(record, False)) if self.options.csvtimefile != None: self.file_csv_time.write(mft.mft_to_l2t(record)) if self.options.bodyfile != None: self.file_body.write(mft.mft_to_body(record, self.options.bodyfull, self.options.bodystd)) if self.options.progress: if self.num_records % (self.mftsize/5) == 0 and self.num_records > 0: print 'Building MFT: {0:.0f}'.format(100.0*self.num_records/self.mftsize) + '%' self.num_records = self.num_records + 1 raw_record = self.file_mft.read(1024)
def plaso_process_mft_file(self): # TODO - Add ADS support .... self.build_filepaths() # reset the file reading self.num_records = 0 self.file_mft.seek(0) raw_record = self.file_mft.read(1024) while raw_record != "": record = {} record = mft.parse_record(raw_record, False) record['filename'] = self.mft[self.num_records]['filename'] self.fullmft[self.num_records] = record self.num_records = self.num_records + 1 raw_record = self.file_mft.read(1024)
def process_mft_file(self): self.sizecheck() self.build_filepaths() # reset the file reading self.num_records = 0 self.file_mft.seek(0) raw_record = self.file_mft.read(1024) print(f"encoding is {chardet.detect(raw_record)}") while raw_record != "": record = mft.parse_record(raw_record=raw_record, debug=self.debug) record['filename'] = self.mft[self.num_records]['filename'] if record['ads'] > 0: for i in range(0, record['ads']): # print "ADS: %s" % (record['data_name', i]) record_ads = record.copy() record_ads['filename'] = record['filename'] + ':' + str( record['data_name', i]) self.num_records += 1 raw_record = self.file_mft.read(1024) yield record
def plaso_process_mft_file(self): self.build_filepaths() #reset the file reading self.num_records = 0 self.file_mft.seek(0) raw_record = self.file_mft.read(1024) while raw_record != "": record = {} record = mft.parse_record(raw_record, self.options) if self.options.debug: print record record['filename'] = self.mft[self.num_records]['filename'] self.fullmft[self.num_records] = record self.num_records = self.num_records + 1 raw_record = self.file_mft.read(1024)
def build_filepaths(self): # reset the file reading self.file_mft.seek(0) self.num_records = 0 # 1024 is valid for current version of Windows but should really get this value from somewhere raw_record = self.file_mft.read(1024) while raw_record != "": record = {} minirec = {} record = mft.parse_record(raw_record, False) minirec['filename'] = record['filename'] minirec['fncnt'] = record['fncnt'] if record['fncnt'] == 1: minirec['par_ref'] = record['fn', 0]['par_ref'] minirec['name'] = record['fn', 0]['name'] if record['fncnt'] > 1: minirec['par_ref'] = record['fn', 0]['par_ref'] for i in (0, record['fncnt'] - 1): # print record['fn',i] if (record['fn', i]['nspace'] == 0x1 or record['fn', i]['nspace'] == 0x3): minirec['name'] = record['fn', i]['name'] if (minirec.get('name') == None): minirec['name'] = record['fn', record['fncnt'] - 1]['name'] self.mft[self.num_records] = minirec if self.num_records % (self.mftsize / 5) == 0 and self.num_records > 0: self.logger.info('Building Filepaths: {0:.0f}'.format(100.0 * self.num_records / self.mftsize) + '%') self.num_records = self.num_records + 1 raw_record = self.file_mft.read(1024) self.gen_filepaths()
def plaso_process_mft_file(self): # TODO - Add ADS support .... self.build_filepaths() #reset the file reading self.num_records = 0 self.file_mft.seek(0) raw_record = self.file_mft.read(1024) while raw_record != "": record = {} record = mft.parse_record(raw_record, self.options) if self.options.debug: print record record['filename'] = self.mft[self.num_records]['filename'] self.fullmft[self.num_records] = record self.num_records = self.num_records + 1 raw_record = self.file_mft.read(1024)
def run(self): record_seq = self.record_seq while record_seq < self.mftsize: self.rw_lock.lockForWrite() if self.quit_flag: self.rw_lock.unlock() return while self.mft_seqs_flag_list[record_seq] > 0: record_seq += 1 if record_seq >= self.mftsize: self.rw_lock.unlock() return self.mft_seqs_flag_list[record_seq] = 1 self.rw_lock.unlock() self.file_mft.seek(record_seq * 1024, 0) raw_record = self.file_mft.read(1024) record = {} minirec = {} # file deleted if not (struct.unpack("<H", raw_record[22:24])[0] & 0x0001): minirec['name'] = "FILE_DELETED" minirec['path'] = "/" minirec['par_ref'] = 5 # http://effbot.org/pyfaq/what-kinds-of-global-value-mutation-are-thread-safe.htm # thread-safe, no lock needed. self.rw_lock.lockForWrite() self.mft[record_seq] = minirec self.mft_seqs_flag_list[record_seq] = 2 self.rw_lock.unlock() continue record = mft.parse_record(record, raw_record, self.options) record_num = record['recordnum'] assert record_num == 0 or record_seq == record_num if record['fncnt'] == 1: minirec['par_ref'] = record['fn', 0]['par_ref'] minirec['name'] = record['fn', 0]['name'] elif record['fncnt'] > 1: minirec['par_ref'] = record['fn', 0][ 'par_ref'] # TODO: check hard link files for i in (0, record['fncnt'] - 1): if record['fn', i]['nspace'] == 0x1 or record[ 'fn', i]['nspace'] == 0x3: minirec['name'] = record['fn', i]['name'] if minirec.get('name') is None: minirec['name'] = record['fn', record['fncnt'] - 1]['name'] if record['fncnt'] > 0: self.rw_lock.lockForWrite() if self.quit_flag: self.rw_lock.unlock() return self.mft[record_seq] = minirec self.get_folder_path(record_seq, record_seq) self.mft_seqs_flag_list[record_seq] = 2 self.rw_lock.unlock() filename = self.mft[record_seq]['name'] filepath = self.mft[record_seq]['path'] filesize = record['fn', 0]['alloc_fsize'] atime = record['fn', 0]['atime'] # .unixtime mtime = record['fn', 0]['mtime'] # .unixtime ctime = record['fn', 0]['ctime'] # .unixtime isFolder = bool(int(record['flags']) & 0x0002) # decodeMFTrecordtype(record): self.sql_insert_mutex.lock() if isFolder: # self.insert_db_SIGNAL.emit self.sql_insert_queue.put([ self.table_name, [ filename, filepath, None, True, int(atime), int(mtime), int(ctime) ], record_seq, self.mftsize, self.table_name ]) else: self.sql_insert_queue.put([ self.table_name, [ filename, filepath, filesize, False, int(atime), int(mtime), int(ctime) ], record_seq, self.mftsize, self.table_name ]) self.sql_insert_condition.wakeOne() self.sql_insert_mutex.unlock() else: minirec['name'] = "BAD_NAME" minirec['path'] = "/" minirec['par_ref'] = 5 self.rw_lock.lockForWrite() self.mft[record_seq] = minirec self.mft_seqs_flag_list[record_seq] = 2 self.rw_lock.unlock() try: self.file_mft.close() except: pass
def run(self): record_seq = self.record_seq while record_seq < self.mftsize: self.rw_lock.lockForWrite() if self.quit_flag: self.rw_lock.unlock() return while self.mft_seqs_flag_list[record_seq] > 0: record_seq += 1 if record_seq >= self.mftsize: self.rw_lock.unlock() return self.mft_seqs_flag_list[record_seq] = 1 self.rw_lock.unlock() self.file_mft.seek(record_seq * 1024, 0) raw_record = self.file_mft.read(1024) record = {} minirec = {} # file deleted if not (struct.unpack("<H", raw_record[22:24])[0] & 0x0001): minirec['name'] = "FILE_DELETED" minirec['path'] = "/" minirec['par_ref'] = 5 # http://effbot.org/pyfaq/what-kinds-of-global-value-mutation-are-thread-safe.htm # thread-safe, no lock needed. self.rw_lock.lockForWrite() self.mft[record_seq] = minirec self.mft_seqs_flag_list[record_seq] = 2 self.rw_lock.unlock() continue record = mft.parse_record(record, raw_record, self.options) record_num = record['recordnum'] assert record_num == 0 or record_seq == record_num if record['fncnt'] == 1: minirec['par_ref'] = record['fn', 0]['par_ref'] minirec['name'] = record['fn', 0]['name'] elif record['fncnt'] > 1: minirec['par_ref'] = record['fn', 0]['par_ref'] # TODO: check hard link files for i in (0, record['fncnt'] - 1): if record['fn', i]['nspace'] == 0x1 or record['fn', i]['nspace'] == 0x3: minirec['name'] = record['fn', i]['name'] if minirec.get('name') is None: minirec['name'] = record['fn', record['fncnt'] - 1]['name'] if record['fncnt'] > 0: self.rw_lock.lockForWrite() if self.quit_flag: self.rw_lock.unlock() return self.mft[record_seq] = minirec self.get_folder_path(record_seq, record_seq) self.mft_seqs_flag_list[record_seq] = 2 self.rw_lock.unlock() filename = self.mft[record_seq]['name'] filepath = self.mft[record_seq]['path'] filesize = record['fn', 0]['alloc_fsize'] atime = record['fn', 0]['atime'] # .unixtime mtime = record['fn', 0]['mtime'] # .unixtime ctime = record['fn', 0]['ctime'] # .unixtime isFolder = bool(int(record['flags']) & 0x0002) # decodeMFTrecordtype(record): self.sql_insert_mutex.lock() if isFolder: # self.insert_db_SIGNAL.emit self.sql_insert_queue.put([self.table_name, [filename, filepath, None, True, int(atime), int(mtime), int(ctime)], record_seq, self.mftsize, self.table_name] ) else: self.sql_insert_queue.put([self.table_name, [filename, filepath, filesize, False, int(atime), int(mtime), int(ctime)], record_seq, self.mftsize, self.table_name] ) self.sql_insert_condition.wakeOne() self.sql_insert_mutex.unlock() else: minirec['name'] = "BAD_NAME" minirec['path'] = "/" minirec['par_ref'] = 5 self.rw_lock.lockForWrite() self.mft[record_seq] = minirec self.mft_seqs_flag_list[record_seq] = 2 self.rw_lock.unlock() try: self.file_mft.close() except: pass