def build_filepaths(self):
# reset the file reading
self.file_mft.seek(0)
self.num_records = 0
# 1024 is valid for current version of Windows but should really get this value from somewhere
raw_record = self.file_mft.read(1024)
while raw_record != "":
record = {}
minirec = {}
record = mft.parse_record(raw_record, self.options)
if self.options.debug: print record
minirec['filename'] = record['filename']
minirec['fncnt'] = record['fncnt']
if record['fncnt'] == 1:
minirec['par_ref'] = record['fn',0]['par_ref']
minirec['name'] = record['fn',0]['name']
if record['fncnt'] > 1:
minirec['par_ref'] = record['fn',0]['par_ref']
minirec['name'] = record['fn', record['fncnt']-1]['name']
self.mft[self.num_records] = minirec
if self.options.progress:
if self.num_records % (self.mftsize/5) == 0 and self.num_records > 0:
print 'Building Filepaths: {0:.0f}'.format(100.0*self.num_records/self.mftsize) + '%'
self.num_records = self.num_records + 1
raw_record = self.file_mft.read(1024)
self.gen_filepaths()
def process_mft_file(self):
self.sizecheck()
self.build_filepaths()
# reset the file reading
self.num_records = 0
self.file_mft.seek(0)
raw_record = self.file_mft.read(1024)
if self.options.output is not None:
self.file_csv.writerow(mft.mft_to_csv(None, True, self.options))
while raw_record != "":
record = mft.parse_record(raw_record, self.options)
if self.options.debug:
print record
record['filename'] = self.mft[self.num_records]['filename']
self.do_output(record)
self.num_records += 1
if record['ads'] > 0:
for i in range(0, record['ads']):
# print "ADS: %s" % (record['data_name', i])
record_ads = record.copy()
record_ads['filename'] = record['filename'] + ':' + record[
'data_name', i]
self.do_output(record_ads)
raw_record = self.file_mft.read(1024)
def process_mft_file(self):
self.sizecheck()
self.build_filepaths()
#reset the file reading
self.num_records = 0
self.file_mft.seek(0)
raw_record = self.file_mft.read(1024)
if self.options.output != None:
self.file_csv.writerow(mft.mft_to_csv(None, True, self.options))
while raw_record != "":
record = {}
record = mft.parse_record(raw_record, self.options)
if self.options.debug: print record
record['filename'] = self.mft[self.num_records]['filename']
self.do_output(record)
self.num_records = self.num_records + 1
if record['ads'] > 0:
for i in range(0, record['ads']):
# print "ADS: %s" % (record['data_name', i])
record_ads = record.copy()
record_ads['filename'] = record['filename'] + ':' + record['data_name', i]
self.do_output(record_ads)
raw_record = self.file_mft.read(1024)
def process_mft_file(self):
self.sizecheck()
self.build_filepaths()
# reset the file reading
self.num_records = 0
self.file_mft.seek(0)
raw_record = self.file_mft.read(1024)
if self.output is not None and not self.json:
self.file_csv.writerow(mft.mft_to_csv(None, True))
elif self.output is not None and self.json:
self.header = mft.mft_to_csv(None, True)
while raw_record != "":
record = mft.parse_record(raw_record, False)
record['filename'] = self.mft[self.num_records]['filename']
self.do_output(record)
self.num_records += 1
if record['ads'] > 0:
for i in range(0, record['ads']):
record_ads = record.copy()
record_ads['filename'] = record['filename'] + ':' + record[
'data_name', i]
self.do_output(record_ads)
raw_record = self.file_mft.read(1024)
if self.json:
close_json_writer(self.json_writer)
def build_filepaths(self):
# reset the file reading
self.file_mft.seek(0)
self.num_records = 0
# 1024 is valid for current version of Windows but should really get this value from somewhere
raw_record = self.file_mft.read(1024)
while raw_record:
minirec = {}
record = mft.parse_record(raw_record, debug=self.debug)
minirec['filename'] = record['filename']
minirec['fncnt'] = record['fncnt']
if record['fncnt'] == 1:
minirec['par_ref'] = record['fn', 0]['par_ref']
minirec['name'] = record['fn', 0]['name']
if record['fncnt'] > 1:
minirec['par_ref'] = record['fn', 0]['par_ref']
for i in (0, record['fncnt'] - 1):
# print record['fn',i]
if record['fn', i]['nspace'] == 0x1 or record[
'fn', i]['nspace'] == 0x3:
minirec['name'] = record['fn', i]['name']
if minirec.get('name') is None:
minirec['name'] = record['fn', record['fncnt'] - 1]['name']
self.mft[self.num_records] = minirec
self.num_records += 1
raw_record = self.file_mft.read(1024)
self.gen_filepaths()
def process_mft_file(self):
self.sizecheck()
self.build_filepaths()
# reset the file reading
self.num_records = 0
self.file_mft.seek(0)
raw_record = self.file_mft.read(1024)
if self.output != None and not self.json:
self.file_csv.writerow(mft.mft_to_csv(None, True))
elif self.output != None and self.json:
self.header = mft.mft_to_csv(None, True)
while raw_record != "":
record = {}
record = mft.parse_record(raw_record, False)
record['filename'] = self.mft[self.num_records]['filename']
self.do_output(record)
self.num_records = self.num_records + 1
if record['ads'] > 0:
for i in range(0, record['ads']):
record_ads = record.copy()
record_ads['filename'] = record['filename'] + ':' + record['data_name', i]
self.do_output(record_ads)
raw_record = self.file_mft.read(1024)
def plaso_process_mft_file(self):
# TODO - Add ADS support ....
self.build_filepaths()
# reset the file reading
self.num_records = 0
self.file_mft.seek(0)
raw_record = self.file_mft.read(1024)
while raw_record != "":
record = mft.parse_record(raw_record, False)
record['filename'] = self.mft[self.num_records]['filename']
self.fullmft[self.num_records] = record
self.num_records += 1
raw_record = self.file_mft.read(1024)
def build_seq(self, record_seq):
file_handle = self.file_mft
# file_handle = open(self.options.filename, 'rb')
file_handle.seek(record_seq * 1024, 0)
raw_record = file_handle.read(1024)
record = {}
minirec = {}
# file deleted
if not (struct.unpack("<H", raw_record[22:24])[0] & 0x0001):
minirec['name'] = "FILE_DELETED"
minirec['path'] = "/"
minirec['par_ref'] = 5
# locked in function run already.
self.mft[record_seq] = minirec
self.mft_seqs_flag_list[record_seq] = 2
return
record = mft.parse_record(record, raw_record, self.options)
record_num = record['recordnum']
assert record_num == 0 or record_seq == record_num
if record['fncnt'] == 1:
minirec['par_ref'] = record['fn', 0]['par_ref']
minirec['name'] = record['fn', 0]['name']
elif record['fncnt'] > 1:
minirec['par_ref'] = record['fn', 0][
'par_ref'] # TODO: check hard link files
for i in (0, record['fncnt'] - 1):
if (record['fn', i]['nspace'] == 0x1
or record['fn', i]['nspace'] == 0x3):
minirec['name'] = record['fn', i]['name']
if minirec.get('name') is None:
minirec['name'] = record['fn', record['fncnt'] - 1]['name']
if record['fncnt'] > 0:
self.mft[record_seq] = minirec
# self.get_folder_path(record_seq, record_seq) # skip from loop
# self.mft_seqs_flag_list[record_seq] = 2 # path is unknow, cannot submit
else:
minirec['name'] = "BAD_NAME"
minirec['path'] = "/"
minirec['par_ref'] = 5
self.mft[record_seq] = minirec
self.mft_seqs_flag_list[record_seq] = 2
def build_seq(self, record_seq):
file_handle = self.file_mft
# file_handle = open(self.options.filename, 'rb')
file_handle.seek(record_seq * 1024, 0)
raw_record = file_handle.read(1024)
record = {}
minirec = {}
# file deleted
if not (struct.unpack("<H", raw_record[22:24])[0] & 0x0001):
minirec['name'] = "FILE_DELETED"
minirec['path'] = "/"
minirec['par_ref'] = 5
# locked in function run already.
self.mft[record_seq] = minirec
self.mft_seqs_flag_list[record_seq] = 2
return
record = mft.parse_record(record, raw_record, self.options)
record_num = record['recordnum']
assert record_num == 0 or record_seq == record_num
if record['fncnt'] == 1:
minirec['par_ref'] = record['fn', 0]['par_ref']
minirec['name'] = record['fn', 0]['name']
elif record['fncnt'] > 1:
minirec['par_ref'] = record['fn', 0]['par_ref'] # TODO: check hard link files
for i in (0, record['fncnt'] - 1):
if (record['fn', i]['nspace'] == 0x1 or record['fn', i]['nspace'] == 0x3):
minirec['name'] = record['fn', i]['name']
if minirec.get('name') is None:
minirec['name'] = record['fn', record['fncnt'] - 1]['name']
if record['fncnt'] > 0:
self.mft[record_seq] = minirec
# self.get_folder_path(record_seq, record_seq) # skip from loop
# self.mft_seqs_flag_list[record_seq] = 2 # path is unknow, cannot submit
else:
minirec['name'] = "BAD_NAME"
minirec['path'] = "/"
minirec['par_ref'] = 5
self.mft[record_seq] = minirec
self.mft_seqs_flag_list[record_seq] = 2
def build_filepaths(self):
# reset the file reading
self.file_mft.seek(0)
self.num_records = 0
# 1024 is valid for current version of Windows but should really get this value from somewhere
raw_record = self.file_mft.read(1024)
while raw_record != "":
record = {}
minirec = {}
record = mft.parse_record(raw_record, self.options)
if self.options.debug: print record
minirec['filename'] = record['filename']
minirec['fncnt'] = record['fncnt']
if record['fncnt'] == 1:
minirec['par_ref'] = record['fn', 0]['par_ref']
minirec['name'] = record['fn', 0]['name']
if record['fncnt'] > 1:
minirec['par_ref'] = record['fn', 0]['par_ref']
for i in (0, record['fncnt'] - 1):
#print record['fn',i]
if (record['fn', i]['nspace'] == 0x1
or record['fn', i]['nspace'] == 0x3):
minirec['name'] = record['fn', i]['name']
if (minirec.get('name') == None):
minirec['name'] = record['fn', record['fncnt'] - 1]['name']
self.mft[self.num_records] = minirec
if self.options.progress:
if self.num_records % (self.mftsize /
5) == 0 and self.num_records > 0:
print 'Building Filepaths: {0:.0f}'.format(
100.0 * self.num_records / self.mftsize) + '%'
self.num_records = self.num_records + 1
raw_record = self.file_mft.read(1024)
self.gen_filepaths()
def process_mft_file(self):
self.sizecheck()
self.build_filepaths()
#reset the file reading
self.num_records = 0
self.file_mft.seek(0)
raw_record = self.file_mft.read(1024)
if self.options.output != None:
self.file_csv.writerow(mft.mft_to_csv(None, True))
while raw_record != "":
record = {}
record = mft.parse_record(raw_record, self.options)
if self.options.debug: print record
record['filename'] = self.mft[self.num_records]['filename']
if self.options.inmemory:
self.fullmft[self.num_records] = record
if self.options.output != None:
self.file_csv.writerow(mft.mft_to_csv(record, False))
if self.options.csvtimefile != None:
self.file_csv_time.write(mft.mft_to_l2t(record))
if self.options.bodyfile != None:
self.file_body.write(mft.mft_to_body(record, self.options.bodyfull, self.options.bodystd))
if self.options.progress:
if self.num_records % (self.mftsize/5) == 0 and self.num_records > 0:
print 'Building MFT: {0:.0f}'.format(100.0*self.num_records/self.mftsize) + '%'
self.num_records = self.num_records + 1
raw_record = self.file_mft.read(1024)
def plaso_process_mft_file(self):
# TODO - Add ADS support ....
self.build_filepaths()
# reset the file reading
self.num_records = 0
self.file_mft.seek(0)
raw_record = self.file_mft.read(1024)
while raw_record != "":
record = {}
record = mft.parse_record(raw_record, False)
record['filename'] = self.mft[self.num_records]['filename']
self.fullmft[self.num_records] = record
self.num_records = self.num_records + 1
raw_record = self.file_mft.read(1024)
def process_mft_file(self):
self.sizecheck()
self.build_filepaths()
# reset the file reading
self.num_records = 0
self.file_mft.seek(0)
raw_record = self.file_mft.read(1024)
print(f"encoding is {chardet.detect(raw_record)}")
while raw_record != "":
record = mft.parse_record(raw_record=raw_record, debug=self.debug)
record['filename'] = self.mft[self.num_records]['filename']
if record['ads'] > 0:
for i in range(0, record['ads']):
# print "ADS: %s" % (record['data_name', i])
record_ads = record.copy()
record_ads['filename'] = record['filename'] + ':' + str(
record['data_name', i])
self.num_records += 1
raw_record = self.file_mft.read(1024)
yield record
def plaso_process_mft_file(self):
self.build_filepaths()
#reset the file reading
self.num_records = 0
self.file_mft.seek(0)
raw_record = self.file_mft.read(1024)
while raw_record != "":
record = {}
record = mft.parse_record(raw_record, self.options)
if self.options.debug: print record
record['filename'] = self.mft[self.num_records]['filename']
self.fullmft[self.num_records] = record
self.num_records = self.num_records + 1
raw_record = self.file_mft.read(1024)
def build_filepaths(self):
# reset the file reading
self.file_mft.seek(0)
self.num_records = 0
# 1024 is valid for current version of Windows but should really get this value from somewhere
raw_record = self.file_mft.read(1024)
while raw_record != "":
record = {}
minirec = {}
record = mft.parse_record(raw_record, False)
minirec['filename'] = record['filename']
minirec['fncnt'] = record['fncnt']
if record['fncnt'] == 1:
minirec['par_ref'] = record['fn', 0]['par_ref']
minirec['name'] = record['fn', 0]['name']
if record['fncnt'] > 1:
minirec['par_ref'] = record['fn', 0]['par_ref']
for i in (0, record['fncnt'] - 1):
# print record['fn',i]
if (record['fn', i]['nspace'] == 0x1 or record['fn', i]['nspace'] == 0x3):
minirec['name'] = record['fn', i]['name']
if (minirec.get('name') == None):
minirec['name'] = record['fn', record['fncnt'] - 1]['name']
self.mft[self.num_records] = minirec
if self.num_records % (self.mftsize / 5) == 0 and self.num_records > 0:
self.logger.info('Building Filepaths: {0:.0f}'.format(100.0 * self.num_records / self.mftsize) + '%')
self.num_records = self.num_records + 1
raw_record = self.file_mft.read(1024)
self.gen_filepaths()
def plaso_process_mft_file(self):
# TODO - Add ADS support ....
self.build_filepaths()
#reset the file reading
self.num_records = 0
self.file_mft.seek(0)
raw_record = self.file_mft.read(1024)
while raw_record != "":
record = {}
record = mft.parse_record(raw_record, self.options)
if self.options.debug: print record
record['filename'] = self.mft[self.num_records]['filename']
self.fullmft[self.num_records] = record
self.num_records = self.num_records + 1
raw_record = self.file_mft.read(1024)
def run(self):
record_seq = self.record_seq
while record_seq < self.mftsize:
self.rw_lock.lockForWrite()
if self.quit_flag:
self.rw_lock.unlock()
return
while self.mft_seqs_flag_list[record_seq] > 0:
record_seq += 1
if record_seq >= self.mftsize:
self.rw_lock.unlock()
return
self.mft_seqs_flag_list[record_seq] = 1
self.rw_lock.unlock()
self.file_mft.seek(record_seq * 1024, 0)
raw_record = self.file_mft.read(1024)
record = {}
minirec = {}
# file deleted
if not (struct.unpack("<H", raw_record[22:24])[0] & 0x0001):
minirec['name'] = "FILE_DELETED"
minirec['path'] = "/"
minirec['par_ref'] = 5
# http://effbot.org/pyfaq/what-kinds-of-global-value-mutation-are-thread-safe.htm
# thread-safe, no lock needed.
self.rw_lock.lockForWrite()
self.mft[record_seq] = minirec
self.mft_seqs_flag_list[record_seq] = 2
self.rw_lock.unlock()
continue
record = mft.parse_record(record, raw_record, self.options)
record_num = record['recordnum']
assert record_num == 0 or record_seq == record_num
if record['fncnt'] == 1:
minirec['par_ref'] = record['fn', 0]['par_ref']
minirec['name'] = record['fn', 0]['name']
elif record['fncnt'] > 1:
minirec['par_ref'] = record['fn', 0][
'par_ref'] # TODO: check hard link files
for i in (0, record['fncnt'] - 1):
if record['fn', i]['nspace'] == 0x1 or record[
'fn', i]['nspace'] == 0x3:
minirec['name'] = record['fn', i]['name']
if minirec.get('name') is None:
minirec['name'] = record['fn', record['fncnt'] - 1]['name']
if record['fncnt'] > 0:
self.rw_lock.lockForWrite()
if self.quit_flag:
self.rw_lock.unlock()
return
self.mft[record_seq] = minirec
self.get_folder_path(record_seq, record_seq)
self.mft_seqs_flag_list[record_seq] = 2
self.rw_lock.unlock()
filename = self.mft[record_seq]['name']
filepath = self.mft[record_seq]['path']
filesize = record['fn', 0]['alloc_fsize']
atime = record['fn', 0]['atime'] # .unixtime
mtime = record['fn', 0]['mtime'] # .unixtime
ctime = record['fn', 0]['ctime'] # .unixtime
isFolder = bool(int(record['flags'])
& 0x0002) # decodeMFTrecordtype(record):
self.sql_insert_mutex.lock()
if isFolder:
# self.insert_db_SIGNAL.emit
self.sql_insert_queue.put([
self.table_name,
[
filename, filepath, None, True,
int(atime),
int(mtime),
int(ctime)
], record_seq, self.mftsize, self.table_name
])
else:
self.sql_insert_queue.put([
self.table_name,
[
filename, filepath, filesize, False,
int(atime),
int(mtime),
int(ctime)
], record_seq, self.mftsize, self.table_name
])
self.sql_insert_condition.wakeOne()
self.sql_insert_mutex.unlock()
else:
minirec['name'] = "BAD_NAME"
minirec['path'] = "/"
minirec['par_ref'] = 5
self.rw_lock.lockForWrite()
self.mft[record_seq] = minirec
self.mft_seqs_flag_list[record_seq] = 2
self.rw_lock.unlock()
try:
self.file_mft.close()
except:
pass
def run(self):
record_seq = self.record_seq
while record_seq < self.mftsize:
self.rw_lock.lockForWrite()
if self.quit_flag:
self.rw_lock.unlock()
return
while self.mft_seqs_flag_list[record_seq] > 0:
record_seq += 1
if record_seq >= self.mftsize:
self.rw_lock.unlock()
return
self.mft_seqs_flag_list[record_seq] = 1
self.rw_lock.unlock()
self.file_mft.seek(record_seq * 1024, 0)
raw_record = self.file_mft.read(1024)
record = {}
minirec = {}
# file deleted
if not (struct.unpack("<H", raw_record[22:24])[0] & 0x0001):
minirec['name'] = "FILE_DELETED"
minirec['path'] = "/"
minirec['par_ref'] = 5
# http://effbot.org/pyfaq/what-kinds-of-global-value-mutation-are-thread-safe.htm
# thread-safe, no lock needed.
self.rw_lock.lockForWrite()
self.mft[record_seq] = minirec
self.mft_seqs_flag_list[record_seq] = 2
self.rw_lock.unlock()
continue
record = mft.parse_record(record, raw_record, self.options)
record_num = record['recordnum']
assert record_num == 0 or record_seq == record_num
if record['fncnt'] == 1:
minirec['par_ref'] = record['fn', 0]['par_ref']
minirec['name'] = record['fn', 0]['name']
elif record['fncnt'] > 1:
minirec['par_ref'] = record['fn', 0]['par_ref'] # TODO: check hard link files
for i in (0, record['fncnt'] - 1):
if record['fn', i]['nspace'] == 0x1 or record['fn', i]['nspace'] == 0x3:
minirec['name'] = record['fn', i]['name']
if minirec.get('name') is None:
minirec['name'] = record['fn', record['fncnt'] - 1]['name']
if record['fncnt'] > 0:
self.rw_lock.lockForWrite()
if self.quit_flag:
self.rw_lock.unlock()
return
self.mft[record_seq] = minirec
self.get_folder_path(record_seq, record_seq)
self.mft_seqs_flag_list[record_seq] = 2
self.rw_lock.unlock()
filename = self.mft[record_seq]['name']
filepath = self.mft[record_seq]['path']
filesize = record['fn', 0]['alloc_fsize']
atime = record['fn', 0]['atime'] # .unixtime
mtime = record['fn', 0]['mtime'] # .unixtime
ctime = record['fn', 0]['ctime'] # .unixtime
isFolder = bool(int(record['flags']) & 0x0002) # decodeMFTrecordtype(record):
self.sql_insert_mutex.lock()
if isFolder:
# self.insert_db_SIGNAL.emit
self.sql_insert_queue.put([self.table_name,
[filename, filepath,
None, True,
int(atime), int(mtime), int(ctime)],
record_seq, self.mftsize, self.table_name]
)
else:
self.sql_insert_queue.put([self.table_name,
[filename, filepath,
filesize, False,
int(atime), int(mtime), int(ctime)],
record_seq, self.mftsize, self.table_name]
)
self.sql_insert_condition.wakeOne()
self.sql_insert_mutex.unlock()
else:
minirec['name'] = "BAD_NAME"
minirec['path'] = "/"
minirec['par_ref'] = 5
self.rw_lock.lockForWrite()
self.mft[record_seq] = minirec
self.mft_seqs_flag_list[record_seq] = 2
self.rw_lock.unlock()
try:
self.file_mft.close()
except:
pass
