def __init__(self, data=None, offset_bytes=None): record_length = reverse_hexlify_int(data[0:4]) self.data = data[0:record_length] self.offset_bytes = offset_bytes self.file_attributes_object = FileAttributesFlag(self.file_attributes)
def __init__(self, *args, **kwargs): super().__init__(*args, **kwargs) self.content_data = self.data[self.header.content_offset:self.header. content_offset + self.header.content_size] self.flags_set = FileAttributesFlag(self.flags)
class UsnRecordBase(): # Fields that are shared by both the USN record version 2 and 3 (4 is unknown at this moment) RECORD_LENGTH = ('record length', 0, 3) MAJOR_VERSION = ('major version', 4, 5) MINOR_VERSION = ('minor version', 6, 7) REASON_MAP = { 0x00000001: 'DATA_OVERWRITE', 0x00000002: 'DATA_EXTEND', 0x00000004: 'DATA_TRUNCATION', 0x00000010: 'NAMED_DATA_OVERWRITE', 0x00000020: 'NAMED_DATA_EXTEND', 0x00000040: 'NAMED_DATA_TRUNCATION', 0x00000100: 'FILE_CREATE', 0x00000200: 'FILE_DELETE', 0x00000400: 'EA_CHANGE', 0x00000800: 'SECURITY_CHANGE', 0x00001000: 'RENAME_OLD_NAME', 0x00002000: 'RENAME_NEW_NAME', 0x00004000: 'INDEXABLE_CHANGE', 0x00008000: 'BASIC_INFO_CHANGE', 0x00010000: 'HARD_LINK_CHANGE', 0x00020000: 'COMPRESSION_CHANGE', 0x00040000: 'ENCRYPTION_CHANGE', 0x00080000: 'OBJECT_ID_CHANGE', 0x00100000: 'REPARSE_POINT_CHANGE', 0x00200000: 'STREAM_CHANGE', 0x80000000: 'CLOSE' } REASON_TUPLE = ( (0x00000001, 'DATA_OVERWRITE'), (0x00000002, 'DATA_EXTEND'), (0x00000004, 'DATA_TRUNCATION'), (0x00000010, 'NAMED_DATA_OVERWRITE'), (0x00000020, 'NAMED_DATA_EXTEND'), (0x00000040, 'NAMED_DATA_TRUNCATION'), (0x00000100, 'FILE_CREATE'), (0x00000200, 'FILE_DELETE'), (0x00000400, 'EA_CHANGE'), (0x00000800, 'SECURITY_CHANGE'), (0x00001000, 'RENAME_OLD_NAME'), (0x00002000, 'RENAME_NEW_NAME'), (0x00004000, 'INDEXABLE_CHANGE'), (0x00008000, 'BASIC_INFO_CHANGE'), (0x00010000, 'HARD_LINK_CHANGE'), (0x00020000, 'COMPRESSION_CHANGE'), (0x00040000, 'ENCRYPTION_CHANGE'), (0x00080000, 'OBJECT_ID_CHANGE'), (0x00100000, 'REPARSE_POINT_CHANGE'), (0x00200000, 'STREAM_CHANGE'), (0x80000000, 'CLOSE') ) # Source info USN_SOURCE_DATA_MANAGEMENT = 0x00000001 USN_SOURCE_AUXILARY_DATA = 0x00000002 USN_SOURCE_REPLICATION_MANAGEMENT = 0x00000004 def __init__(self, data=None, offset_bytes=None): record_length = reverse_hexlify_int(data[0:4]) self.data = data[0:record_length] self.offset_bytes = offset_bytes self.file_attributes_object = FileAttributesFlag(self.file_attributes) #################################################################################################################### # Raw values @property def record_length_raw(self): return self.data[0:4] @property def major_version_raw(self): return self.data[4:6] @property def minor_version_raw(self): return self.data[6:8] # Placeholders to be overridden by subclasses. @property def file_reference_number_raw(self): raise NotImplementedError() @property def parent_file_reference_number_raw(self): raise NotImplementedError() @property def usn_raw(self): raise NotImplementedError() @property def timestamp_raw(self): raise NotImplementedError() @property def reason_raw(self): raise NotImplementedError() @property def source_info_raw(self): raise NotImplementedError() @property def security_id_raw(self): raise NotImplementedError() @property def file_attributes_raw(self): raise NotImplementedError() @property def file_name_length_raw(self): raise NotImplementedError() @property def file_name_offset_raw(self): raise NotImplementedError() @property def file_name_raw(self): return self.data[self.file_name_offset : self.file_name_offset + self.file_name_length] #################################################################################################################### # Interpreted values @property def record_length(self): return reverse_hexlify_int(self.record_length_raw) @property def major_version(self): return reverse_hexlify_int(self.major_version_raw) @property def minor_version(self): return reverse_hexlify_int(self.minor_version_raw) @property def file_reference_number(self): return hexlify(self.file_reference_number_raw) @property def parent_file_reference_number(self): return hexlify(self.parent_file_reference_number_raw) @property def usn(self): return reverse_hexlify_int(self.usn_raw) @property def timestamp(self): return reverse_hexlify_int(self.timestamp_raw) @property def reason(self): return reverse_hexlify_int(self.reason_raw) @property def source_info(self): return reverse_hexlify_int(self.source_info_raw) @property def security_id(self): return reverse_hexlify_int(self.security_id_raw) @property def file_attributes(self): return reverse_hexlify_int(self.file_attributes_raw) @property def file_name_length(self): return reverse_hexlify_int(self.file_name_length_raw) @property def file_name_offset(self): return reverse_hexlify_int(self.file_name_offset_raw) @property def file_name(self): return self.file_name_raw.decode('utf-16') #################################################################################################################### # Derived values @property def timestamp_datetime(self): if not hasattr(self, '_timestamp_datetime'): self._timestamp_datetime = filetime_to_datetime(self.timestamp_raw) return self._timestamp_datetime @property def usn_source_data_management_flag_set(self): return bool(self.source_info & UsnRecordV2.USN_SOURCE_DATA_MANAGEMENT) @property def usn_source_auxiliary_data_flag_set(self): return bool(self.source_info & UsnRecordV2.USN_SOURCE_AUXILARY_DATA) @property def usn_source_replication_management_flag_set(self): return bool(self.source_info & UsnRecordV2.USN_SOURCE_REPLICATION_MANAGEMENT) @property def file_attributes_string(self): return '|'.join(self.file_attributes_object.reason_list()) @property def reason_string(self): return '|'.join([second for first, second in self.REASON_TUPLE if self.reason & first]) #################################################################################################################### # Printing def all_fields_described(self): return ( (UsnRecordBase.RECORD_LENGTH, self.record_length, self.record_length_raw), (UsnRecordBase.MAJOR_VERSION, self.major_version, self.major_version_raw), (UsnRecordBase.MINOR_VERSION, self.minor_version, self.minor_version_raw), ) def extra_pairs(self): return () def formatted_csv(self): return [ self.record_length, self.major_version, self.minor_version, #self.file_reference_number, #self.parent_file_reference_number, self.usn, self.timestamp_datetime, self.reason_string, self.source_info, self.security_id, self.file_attributes_string, self.file_name_length, self.file_name_offset, self.file_name ] def formatted_csv_column_headers(self): formatted = [ 'record length', 'major version', 'minor version', #'file reference number', #'parent file reference number', 'usn', 'timestamp', 'reason', 'source info', 'security id', 'file attributes', 'file name length', 'file name offset', 'file name' ] return formatted def print(self): _INDENT = ' ' for (description, low, high), value, value_raw in self.all_fields_described(): print(_INDENT + '%-26s | %-5s | %-18s | %s' % (description, str(low) + '-' + str(high), value, hexlify(value_raw))) #print() #print(_INDENT + '%-47s | %s' % ('parent directory file reference sequence number', self.parent_directory_file_reference_sequence_number)) #print(_INDENT + '%-47s | %s' % ('parent_directory_file_reference_mft entry', self.parent_directory_file_reference_mft_entry)) #print(_INDENT + '%-47s | %s' % ('file creation time datetime', self.file_creation_time_datetime)) #print(_INDENT + '%-47s | %s' % ('file modified time datetime', self.file_modification_time_datetime)) #print(_INDENT + '%-47s | %s' % ('mft modified time datetime', self.mft_modification_time_datetime)) #print(_INDENT + '%-47s | %s' % ('file access time datetime', self.file_access_time_datetime)) #self.print_attribute_bottom() def print(self): pass def writeout_parsed(self, out, indent=0): for (description, low, high), value, value_raw in self.all_fields_described(): out.write('%s%-26s | %-5s | %-18s | %s\n' % (indent * ' ', description, str(low) + '-' + str(high), value, hexlify(value_raw))) for key, val in self.extra_pairs(): out.write('%-15s%s\n' % (key + ':', val))
class StandardInformation(Attribute): CREATION_TIME = ('creation time', 0, 7) FILE_ALTERED_TIME = ('file altered time', 8, 15) MFT_ALTERED_TIME = ('mft altered time', 16, 23) FILE_ACCESSED_TIME = ('file accessed time', 24, 31) FLAGS = ('flags', 32, 35) MAXIMUM_NUMBER_OF_VERSIONS = ('maximum version of numbers', 36, 39) VERSION_NUMBER = ('version number', 40, 43) CLASS_ID = ('class id', 44, 47) OWNER_ID = ('owner id', 48, 51) SECURITY_ID = ('security id', 52, 55) QUOTA_CHARGED = ('quota charged', 56, 63) USN = ('USN', 64, 71) def __init__(self, *args, **kwargs): super().__init__(*args, **kwargs) self.content_data = self.data[self.header.content_offset:self.header. content_offset + self.header.content_size] self.flags_set = FileAttributesFlag(self.flags) #################################################################################################################### # Raw values @property def creation_time_raw(self): return self.content_data[0:8] @property def file_altered_time_raw(self): return self.content_data[8:16] @property def mft_altered_time_raw(self): return self.content_data[16:24] @property def file_accessed_time_raw(self): return self.content_data[24:32] @property def flags_raw(self): return self.content_data[32:36] @property def maximum_number_of_versions_raw(self): return self.content_data[36:40] @property def version_number_raw(self): return self.content_data[40:44] @property def class_id_raw(self): return self.content_data[44:48] @property def owner_id_raw(self): return self.content_data[48:52] @property def security_id_raw(self): return self.content_data[52:56] @property def quota_charged_raw(self): return self.content_data[56:64] @property def usn_raw(self): return self.content_data[64:72] #################################################################################################################### # Interpreted values @property def creation_time(self): return reverse_hexlify_int(self.creation_time_raw) @property def file_altered_time(self): return reverse_hexlify_int(self.file_altered_time_raw) @property def mft_altered_time(self): return reverse_hexlify_int(self.mft_altered_time_raw) @property def file_accessed_time(self): return reverse_hexlify_int(self.file_accessed_time_raw) @property def flags(self): return reverse_hexlify_int(self.flags_raw) @property def maximum_number_of_versions(self): return reverse_hexlify_int(self.maximum_number_of_versions_raw) @property def version_number(self): return reverse_hexlify_int(self.version_number_raw) @property def class_id(self): return reverse_hexlify_int(self.class_id_raw) @property def owner_id(self): return reverse_hexlify_int(self.owner_id_raw) @property def security_id(self): return reverse_hexlify_int(self.security_id_raw) @property def quota_charged(self): return reverse_hexlify_int(self.quota_charged_raw) @property def usn(self): return reverse_hexlify_int(self.usn_raw) #################################################################################################################### # Derived values @property def creation_time_datetime(self): if not hasattr(self, '_creation_time_datetime'): self._creation_time_datetime = filetime_to_datetime( self.creation_time_raw) return self._creation_time_datetime @property def file_altered_time_datetime(self): if not hasattr(self, '_file_altered_time_datetime'): self._file_altered_time_datetime = filetime_to_datetime( self.file_altered_time_raw) return self._file_altered_time_datetime @property def mft_altered_time_datetime(self): if not hasattr(self, '_mft_altered_time_datetime'): self._mft_altered_time_datetime = filetime_to_datetime( self.mft_altered_time_raw) return self._mft_altered_time_datetime @property def file_accessed_time_datetime(self): if not hasattr(self, '_file_accessed_time_datetime'): self._file_accessed_time_datetime = filetime_to_datetime( self.file_accessed_time_raw) return self._file_accessed_time_datetime @property def flags_string(self): return '|'.join(self.flags_set.reason_list()) #################################################################################################################### # Printing def all_fields_described(self): base_tuple = ((StandardInformation.CREATION_TIME, self.creation_time, self.creation_time_raw), (StandardInformation.FILE_ALTERED_TIME, self.file_altered_time, self.file_altered_time_raw), (StandardInformation.MFT_ALTERED_TIME, self.mft_altered_time, self.mft_altered_time_raw), (StandardInformation.FILE_ACCESSED_TIME, self.file_accessed_time, self.file_accessed_time_raw), (StandardInformation.FLAGS, self.flags, self.flags_raw), (StandardInformation.MAXIMUM_NUMBER_OF_VERSIONS, self.maximum_number_of_versions, self.maximum_number_of_versions_raw), (StandardInformation.VERSION_NUMBER, self.version_number, self.version_number_raw), (StandardInformation.CLASS_ID, self.class_id, self.class_id_raw)) if len(self.content_data) == 48: return base_tuple elif len(self.content_data) == 72: return base_tuple + ( (StandardInformation.OWNER_ID, self.owner_id, self.owner_id_raw), (StandardInformation.SECURITY_ID, self.security_id, self.security_id_raw), (StandardInformation.QUOTA_CHARGED, self.quota_charged, self.quota_charged_raw), (StandardInformation.USN, self.usn, self.usn_raw)) else: raise Exception('StandardInformation is of length ' + str(len(self.content_data)) + ', case unaccounted for') def extra_pairs(self): return (('creation time datetime', self.creation_time_datetime), ('file altered time datetime', self.file_altered_time_datetime), ('mft altered time datetime', self.mft_altered_time_datetime), ('file accessed time datetime', self.file_accessed_time_datetime)) @staticmethod def format_csv_column_headers(): return [ 'SI creation time', 'SI file altered time', 'SI mft altered time', 'SI file accessed time', 'SI flags', 'SI maximum number of versions', 'SI version number', 'SI class id', 'SI owner id', 'SI security id', 'SI quota charged', 'SI usn' ] def format_csv(self): return [ self.creation_time_datetime, self.file_altered_time_datetime, self.mft_altered_time_datetime, self.file_accessed_time_datetime, self.flags_string, self.maximum_number_of_versions, self.version_number, self.class_id, self.owner_id, self.security_id, self.quota_charged, self.usn ]
class FileName(Attribute): PARENT_DIRECTORY_FILE = ('parent directory file', 0, 7) FILE_CREATION_TIME = ('file creation time', 8, 15) FILE_MODIFICATION_TIME = ('file modification time', 16, 23) MFT_MODIFICATION_TIME = ('mft modification time', 24, 31) FILE_ACCESS_TIME = ('file access time', 32, 39) FILE_ALLOCATED_SIZE = ('file allocated size', 40, 47) FILE_REAL_SIZE = ('file real size', 48, 55) FLAGS = ('flags', 56, 59) REPARSE_VALUE = ('reparse value', 60, 63) NAME_LENGTH = ('name length', 64, 64) NAMESPACE = ('namespace', 65, 65) NAME = ('name', 66, '+') def __init__(self, *args, **kwargs): super().__init__(*args, **kwargs) self.content_data = self.data[self.header.content_offset:self.header. content_offset + self.header.content_size] self.flags_set = FileAttributesFlag(self.flags) #################################################################################################################### # Raw values @property def parent_directory_file_reference_raw(self): return self.content_data[0:8] @property def file_creation_time_raw(self): return self.content_data[8:16] @property def file_modification_time_raw(self): return self.content_data[16:24] @property def mft_modification_time_raw(self): return self.content_data[24:32] @property def file_access_time_raw(self): return self.content_data[32:40] @property def file_allocated_size_raw(self): return self.content_data[40:48] @property def file_real_size_raw(self): return self.content_data[48:56] @property def flags_raw(self): return self.content_data[56:60] @property def reparse_value_raw(self): return self.content_data[60:64] @property def name_length_raw(self): return self.content_data[64:65] @property def namespace_raw(self): return self.content_data[65:66] @property def name_raw(self): return self.content_data[66:66 + self.name_length * 2] #################################################################################################################### # Interpreted values @property def parent_directory_file_reference(self): return hexlify(self.parent_directory_file_reference_raw).decode() @property def file_creation_time(self): return reverse_hexlify_int(self.file_creation_time_raw) @property def file_modification_time(self): return reverse_hexlify_int(self.file_modification_time_raw) @property def mft_modification_time(self): return reverse_hexlify_int(self.mft_modification_time_raw) @property def file_access_time(self): return reverse_hexlify_int(self.file_access_time_raw) @property def file_allocated_size(self): return reverse_hexlify_int(self.file_allocated_size_raw) @property def file_real_size(self): return reverse_hexlify_int(self.file_allocated_size_raw) @property def flags(self): return reverse_hexlify_int(self.flags_raw) @property def reparse_value(self): return reverse_hexlify_int(self.reparse_value_raw) @property def name_length(self): return reverse_hexlify_int(self.name_length_raw) @property def namespace(self): return reverse_hexlify_int(self.namespace_raw) @property def name(self): return self.name_raw.decode('utf-16') #################################################################################################################### # Derived values @property def parent_directory_file_reference_sequence_number(self): return reverse_hexlify_int( self.parent_directory_file_reference_raw[6:8]) @property def parent_directory_file_reference_mft_entry(self): return reverse_hexlify_int( self.parent_directory_file_reference_raw[0:6]) @property def file_creation_time_datetime(self): try: if not hasattr(self, '_file_creation_time_datetime'): self._file_creation_time_datetime = filetime_to_datetime( self.file_creation_time_raw) return self._file_creation_time_datetime except ValueError: return None @property def file_modification_time_datetime(self): try: if not hasattr(self, '_file_modification_time_datetime'): self._file_modification_time_datetime = filetime_to_datetime( self.file_modification_time_raw) return self._file_modification_time_datetime except ValueError: return None @property def mft_modification_time_datetime(self): try: if not hasattr(self, '_mft_modification_time_datetime'): self._mft_modification_time_datetime = filetime_to_datetime( self.mft_modification_time_raw) return self._mft_modification_time_datetime except ValueError: return None @property def file_access_time_datetime(self): try: if not hasattr(self, '_file_access_time_datetime'): self._file_access_time_datetime = filetime_to_datetime( self.file_access_time_raw) return self._file_access_time_datetime except ValueError: return None @property def flags_string(self): return '|'.join(self.flags_set.reason_list()) #################################################################################################################### # Printing def all_fields_described(self): return ((FileName.PARENT_DIRECTORY_FILE, self.parent_directory_file_reference, self.parent_directory_file_reference_raw), (FileName.FILE_CREATION_TIME, self.file_creation_time, self.file_creation_time_raw), (FileName.FILE_MODIFICATION_TIME, self.file_modification_time, self.file_modification_time_raw), (FileName.MFT_MODIFICATION_TIME, self.mft_modification_time, self.file_modification_time_raw), (FileName.FILE_ACCESS_TIME, self.file_access_time, self.file_access_time_raw), (FileName.FILE_ALLOCATED_SIZE, self.file_allocated_size, self.file_allocated_size_raw), (FileName.FILE_REAL_SIZE, self.file_real_size, self.file_real_size_raw), (FileName.FLAGS, self.flags, self.flags_raw), (FileName.REPARSE_VALUE, self.reparse_value, self.reparse_value_raw), (FileName.NAME_LENGTH, self.name_length, self.name_length_raw), (FileName.NAMESPACE, self.namespace, self.namespace_raw), (FileName.NAME, self.name, self.name_raw)) def extra_pairs(self): return (('parent directory file reference sequence number', self.parent_directory_file_reference_sequence_number), ('parent_directory_file_reference_mft entry', self.parent_directory_file_reference_mft_entry), ('file creation time datetime', self.file_creation_time_datetime), ('file modified time datetime', self.file_modification_time_datetime), ('mft modified time datetime', self.mft_modification_time_datetime), ('file access time datetime', self.file_access_time_datetime)) @staticmethod def format_csv_column_headers(): return [ 'FN file creation time', 'FN file modification time', 'FN mft modification time', 'FN file access time', 'FN file allocated size', 'FN file real size', 'FN flags', 'FN reparse value', 'FN name length', 'FN namespace', 'FN name', 'FN pdfme', 'FN pdfsn' ] def format_csv(self): return [ self.file_creation_time_datetime, self.file_modification_time_datetime, self.mft_modification_time_datetime, self.file_access_time_datetime, self.file_allocated_size, self.file_real_size, self.flags_string, self.reparse_value, self.name_length, self.namespace, self.name, self.parent_directory_file_reference_mft_entry, self.parent_directory_file_reference_sequence_number ]
class StandardInformation(Attribute): CREATION_TIME = ('creation time', 0, 7) FILE_ALTERED_TIME = ('file altered time', 8,15) MFT_ALTERED_TIME = ('mft altered time', 16, 23) FILE_ACCESSED_TIME = ('file accessed time', 24, 31) FLAGS = ('flags', 32, 35) MAXIMUM_NUMBER_OF_VERSIONS = ('maximum version of numbers', 36, 39) VERSION_NUMBER = ('version number', 40, 43) CLASS_ID = ('class id', 44, 47) OWNER_ID = ('owner id', 48, 51) SECURITY_ID = ('security id', 52, 55) QUOTA_CHARGED = ('quota charged', 56, 63) USN = ('USN', 64, 71) def __init__(self, *args, **kwargs): super().__init__(*args, **kwargs) self.content_data = self.data[ self.header.content_offset: self.header.content_offset + self.header.content_size] self.flags_set = FileAttributesFlag(self.flags) #################################################################################################################### # Raw values @property def creation_time_raw(self): return self.content_data[0:8] @property def file_altered_time_raw(self): return self.content_data[8:16] @property def mft_altered_time_raw(self): return self.content_data[16:24] @property def file_accessed_time_raw(self): return self.content_data[24:32] @property def flags_raw(self): return self.content_data[32:36] @property def maximum_number_of_versions_raw(self): return self.content_data[36:40] @property def version_number_raw(self): return self.content_data[40:44] @property def class_id_raw(self): return self.content_data[44:48] @property def owner_id_raw(self): return self.content_data[48:52] @property def security_id_raw(self): return self.content_data[52:56] @property def quota_charged_raw(self): return self.content_data[56:64] @property def usn_raw(self): return self.content_data[64:72] #################################################################################################################### # Interpreted values @property def creation_time(self): return reverse_hexlify_int(self.creation_time_raw) @property def file_altered_time(self): return reverse_hexlify_int(self.file_altered_time_raw) @property def mft_altered_time(self): return reverse_hexlify_int(self.mft_altered_time_raw) @property def file_accessed_time(self): return reverse_hexlify_int(self.file_accessed_time_raw) @property def flags(self): return reverse_hexlify_int(self.flags_raw) @property def maximum_number_of_versions(self): return reverse_hexlify_int(self.maximum_number_of_versions_raw) @property def version_number(self): return reverse_hexlify_int(self.version_number_raw) @property def class_id(self): return reverse_hexlify_int(self.class_id_raw) @property def owner_id(self): return reverse_hexlify_int(self.owner_id_raw) @property def security_id(self): return reverse_hexlify_int(self.security_id_raw) @property def quota_charged(self): return reverse_hexlify_int(self.quota_charged_raw) @property def usn(self): return reverse_hexlify_int(self.usn_raw) #################################################################################################################### # Derived values @property def creation_time_datetime(self): if not hasattr(self, '_creation_time_datetime'): self._creation_time_datetime = filetime_to_datetime(self.creation_time_raw) return self._creation_time_datetime @property def file_altered_time_datetime(self): if not hasattr(self, '_file_altered_time_datetime'): self._file_altered_time_datetime = filetime_to_datetime(self.file_altered_time_raw) return self._file_altered_time_datetime @property def mft_altered_time_datetime(self): if not hasattr(self, '_mft_altered_time_datetime'): self._mft_altered_time_datetime = filetime_to_datetime(self.mft_altered_time_raw) return self._mft_altered_time_datetime @property def file_accessed_time_datetime(self): if not hasattr(self, '_file_accessed_time_datetime'): self._file_accessed_time_datetime = filetime_to_datetime(self.file_accessed_time_raw) return self._file_accessed_time_datetime @property def flags_string(self): return '|'.join(self.flags_set.reason_list()) #################################################################################################################### # Printing def all_fields_described(self): base_tuple = ( (StandardInformation.CREATION_TIME, self.creation_time, self.creation_time_raw), (StandardInformation.FILE_ALTERED_TIME, self.file_altered_time, self.file_altered_time_raw), (StandardInformation.MFT_ALTERED_TIME, self.mft_altered_time, self.mft_altered_time_raw), (StandardInformation.FILE_ACCESSED_TIME,self.file_accessed_time, self.file_accessed_time_raw), (StandardInformation.FLAGS, self.flags, self.flags_raw), (StandardInformation.MAXIMUM_NUMBER_OF_VERSIONS, self.maximum_number_of_versions, self.maximum_number_of_versions_raw), (StandardInformation.VERSION_NUMBER, self.version_number, self.version_number_raw), (StandardInformation.CLASS_ID, self.class_id, self.class_id_raw) ) if len(self.content_data) == 48: return base_tuple elif len(self.content_data) == 72: return base_tuple + ( (StandardInformation.OWNER_ID, self.owner_id, self.owner_id_raw), (StandardInformation.SECURITY_ID, self.security_id, self.security_id_raw), (StandardInformation.QUOTA_CHARGED, self.quota_charged, self.quota_charged_raw), (StandardInformation.USN, self.usn, self.usn_raw) ) else: raise Exception('StandardInformation is of length ' + str(len(self.content_data)) + ', case unaccounted for') def extra_pairs(self): return ( ('creation time datetime', self.creation_time_datetime), ('file altered time datetime', self.file_altered_time_datetime), ('mft altered time datetime', self.mft_altered_time_datetime), ('file accessed time datetime', self.file_accessed_time_datetime) ) @staticmethod def format_csv_column_headers(): return [ 'SI creation time', 'SI file altered time', 'SI mft altered time', 'SI file accessed time', 'SI flags', 'SI maximum number of versions', 'SI version number', 'SI class id', 'SI owner id', 'SI security id', 'SI quota charged', 'SI usn' ] def format_csv(self): return [ self.creation_time_datetime, self.file_altered_time_datetime, self.mft_altered_time_datetime, self.file_accessed_time_datetime, self.flags_string, self.maximum_number_of_versions, self.version_number, self.class_id, self.owner_id, self.security_id, self.quota_charged, self.usn ]
def __init__(self, *args, **kwargs): super().__init__(*args, **kwargs) self.content_data = self.data[ self.header.content_offset: self.header.content_offset + self.header.content_size] self.flags_set = FileAttributesFlag(self.flags)
class FileName(Attribute): PARENT_DIRECTORY_FILE = ('parent directory file', 0, 7) FILE_CREATION_TIME = ('file creation time', 8, 15) FILE_MODIFICATION_TIME = ('file modification time', 16, 23) MFT_MODIFICATION_TIME = ('mft modification time', 24, 31) FILE_ACCESS_TIME = ('file access time', 32, 39) FILE_ALLOCATED_SIZE = ('file allocated size', 40, 47) FILE_REAL_SIZE = ('file real size', 48, 55) FLAGS = ('flags', 56, 59) REPARSE_VALUE = ('reparse value', 60, 63) NAME_LENGTH = ('name length', 64, 64) NAMESPACE = ('namespace', 65, 65) NAME = ('name', 66, '+') def __init__(self, *args, **kwargs): super().__init__(*args, **kwargs) self.content_data = self.data[ self.header.content_offset: self.header.content_offset + self.header.content_size] self.flags_set = FileAttributesFlag(self.flags) #################################################################################################################### # Raw values @property def parent_directory_file_reference_raw(self): return self.content_data[0:8] @property def file_creation_time_raw(self): return self.content_data[8:16] @property def file_modification_time_raw(self): return self.content_data[16:24] @property def mft_modification_time_raw(self): return self.content_data[24:32] @property def file_access_time_raw(self): return self.content_data[32:40] @property def file_allocated_size_raw(self): return self.content_data[40:48] @property def file_real_size_raw(self): return self.content_data[48:56] @property def flags_raw(self): return self.content_data[56:60] @property def reparse_value_raw(self): return self.content_data[60:64] @property def name_length_raw(self): return self.content_data[64:65] @property def namespace_raw(self): return self.content_data[65:66] @property def name_raw(self): return self.content_data[66:66+self.name_length*2] #################################################################################################################### # Interpreted values @property def parent_directory_file_reference(self): return hexlify(self.parent_directory_file_reference_raw).decode() @property def file_creation_time(self): return reverse_hexlify_int(self.file_creation_time_raw) @property def file_modification_time(self): return reverse_hexlify_int(self.file_modification_time_raw) @property def mft_modification_time(self): return reverse_hexlify_int(self.mft_modification_time_raw) @property def file_access_time(self): return reverse_hexlify_int(self.file_access_time_raw) @property def file_allocated_size(self): return reverse_hexlify_int(self.file_allocated_size_raw) @property def file_real_size(self): return reverse_hexlify_int(self.file_allocated_size_raw) @property def flags(self): return reverse_hexlify_int(self.flags_raw) @property def reparse_value(self): return reverse_hexlify_int(self.reparse_value_raw) @property def name_length(self): return reverse_hexlify_int(self.name_length_raw) @property def namespace(self): return reverse_hexlify_int(self.namespace_raw) @property def name(self): return self.name_raw.decode('utf-16') #################################################################################################################### # Derived values @property def parent_directory_file_reference_sequence_number(self): return reverse_hexlify_int(self.parent_directory_file_reference_raw[6:8]) @property def parent_directory_file_reference_mft_entry(self): return reverse_hexlify_int(self.parent_directory_file_reference_raw[0:6]) @property def file_creation_time_datetime(self): try: if not hasattr(self, '_file_creation_time_datetime'): self._file_creation_time_datetime = filetime_to_datetime(self.file_creation_time_raw) return self._file_creation_time_datetime except ValueError: return None @property def file_modification_time_datetime(self): try: if not hasattr(self, '_file_modification_time_datetime'): self._file_modification_time_datetime = filetime_to_datetime(self.file_modification_time_raw) return self._file_modification_time_datetime except ValueError: return None @property def mft_modification_time_datetime(self): try: if not hasattr(self, '_mft_modification_time_datetime'): self._mft_modification_time_datetime = filetime_to_datetime(self.mft_modification_time_raw) return self._mft_modification_time_datetime except ValueError: return None @property def file_access_time_datetime(self): try: if not hasattr(self, '_file_access_time_datetime'): self._file_access_time_datetime = filetime_to_datetime(self.file_access_time_raw) return self._file_access_time_datetime except ValueError: return None @property def flags_string(self): return '|'.join(self.flags_set.reason_list()) #################################################################################################################### # Printing def all_fields_described(self): return ( (FileName.PARENT_DIRECTORY_FILE, self.parent_directory_file_reference, self.parent_directory_file_reference_raw), (FileName.FILE_CREATION_TIME, self.file_creation_time, self.file_creation_time_raw), (FileName.FILE_MODIFICATION_TIME, self.file_modification_time, self.file_modification_time_raw), (FileName.MFT_MODIFICATION_TIME, self.mft_modification_time, self.file_modification_time_raw), (FileName.FILE_ACCESS_TIME, self.file_access_time, self.file_access_time_raw), (FileName.FILE_ALLOCATED_SIZE, self.file_allocated_size, self.file_allocated_size_raw), (FileName.FILE_REAL_SIZE, self.file_real_size, self.file_real_size_raw), (FileName.FLAGS, self.flags, self.flags_raw), (FileName.REPARSE_VALUE, self.reparse_value, self.reparse_value_raw), (FileName.NAME_LENGTH, self.name_length, self.name_length_raw), (FileName.NAMESPACE, self.namespace, self.namespace_raw), (FileName.NAME, self.name, self.name_raw) ) def extra_pairs(self): return ( ('parent directory file reference sequence number', self.parent_directory_file_reference_sequence_number), ('parent_directory_file_reference_mft entry', self.parent_directory_file_reference_mft_entry), ('file creation time datetime', self.file_creation_time_datetime), ('file modified time datetime', self.file_modification_time_datetime), ('mft modified time datetime', self.mft_modification_time_datetime), ('file access time datetime', self.file_access_time_datetime) ) @staticmethod def format_csv_column_headers(): return [ 'FN file creation time', 'FN file modification time', 'FN mft modification time', 'FN file access time', 'FN file allocated size', 'FN file real size', 'FN flags', 'FN reparse value', 'FN name length', 'FN namespace', 'FN name', 'FN pdfme', 'FN pdfsn' ] def format_csv(self): return [ self.file_creation_time_datetime, self.file_modification_time_datetime, self.mft_modification_time_datetime, self.file_access_time_datetime, self.file_allocated_size, self.file_real_size, self.flags_string, self.reparse_value, self.name_length, self.namespace, self.name, self.parent_directory_file_reference_mft_entry, self.parent_directory_file_reference_sequence_number ]