def process_mft_file(self):
self.sizecheck()
self.build_filepaths()
# reset the file reading
self.num_records = 0
self.file_mft.seek(0)
raw_record = self.file_mft.read(1024)
if self.output != None and not self.json:
self.file_csv.writerow(mft.mft_to_csv(None, True))
elif self.output != None and self.json:
self.header = mft.mft_to_csv(None, True)
while raw_record != "":
record = {}
record = mft.parse_record(raw_record, False)
record['filename'] = self.mft[self.num_records]['filename']
self.do_output(record)
self.num_records = self.num_records + 1
if record['ads'] > 0:
for i in range(0, record['ads']):
record_ads = record.copy()
record_ads['filename'] = record['filename'] + ':' + record['data_name', i]
self.do_output(record_ads)
raw_record = self.file_mft.read(1024)
def process_mft_file(self):
self.sizecheck()
self.build_filepaths()
# reset the file reading
self.num_records = 0
self.file_mft.seek(0)
raw_record = self.file_mft.read(1024)
if self.output is not None and not self.json:
self.file_csv.writerow(mft.mft_to_csv(None, True))
elif self.output is not None and self.json:
self.header = mft.mft_to_csv(None, True)
while raw_record != "":
record = mft.parse_record(raw_record, False)
record['filename'] = self.mft[self.num_records]['filename']
self.do_output(record)
self.num_records += 1
if record['ads'] > 0:
for i in range(0, record['ads']):
record_ads = record.copy()
record_ads['filename'] = record['filename'] + ':' + record[
'data_name', i]
self.do_output(record_ads)
raw_record = self.file_mft.read(1024)
if self.json:
close_json_writer(self.json_writer)
def do_output(self, record):
if self.output != None and not self.json:
self.file_csv.writerow(mft.mft_to_csv(record, False))
elif self.output != None and self.json:
write_to_json(self.header, mft.mft_to_csv(record, False), self.json_writer)
if self.num_records % (self.mftsize / 5) == 0 and self.num_records > 0:
self.logger.info('Building MFT: {0:.0f}'.format(100.0 * self.num_records / self.mftsize) + '%')
def do_output(self, record):
if self.options.inmemory:
self.fullmft[self.num_records] = record
if self.options.output is not None:
self.file_csv.writerow(mft.mft_to_csv(record, False, self.options))
if self.options.json is not None:
with open(self.options.json, 'a') as outfile:
json.dump(mft.mft_to_json(record), outfile)
outfile.write('\n')
if self.options.csvtimefile is not None:
self.file_csv_time.write(mft.mft_to_l2t(record))
if self.options.bodyfile is not None:
self.file_body.write(
mft.mft_to_body(record, self.options.bodyfull,
self.options.bodystd))
if self.options.progress:
if self.num_records % (self.mftsize /
5) == 0 and self.num_records > 0:
print 'Building MFT: {0:.0f}'.format(
100.0 * self.num_records / self.mftsize) + '%'
def process_mft_file(self):
self.sizecheck()
self.build_filepaths()
# reset the file reading
self.num_records = 0
self.file_mft.seek(0)
raw_record = self.file_mft.read(1024)
if self.options.output is not None:
self.file_csv.writerow(mft.mft_to_csv(None, True, self.options))
while raw_record != "":
record = mft.parse_record(raw_record, self.options)
if self.options.debug:
print record
record['filename'] = self.mft[self.num_records]['filename']
self.do_output(record)
self.num_records += 1
if record['ads'] > 0:
for i in range(0, record['ads']):
# print "ADS: %s" % (record['data_name', i])
record_ads = record.copy()
record_ads['filename'] = record['filename'] + ':' + record[
'data_name', i]
self.do_output(record_ads)
raw_record = self.file_mft.read(1024)
def do_output(self, record):
if self.options.inmemory:
self.fullmft[self.num_records] = record
if self.options.output is not None:
rows = mft.mft_to_csv(record, False, self.options)
mft_rows = list()
for row in rows:
if type(row) is str:
mft_rows.append(row.decode('utf8').encode('cp949'))
else:
mft_rows.append(row)
self.file_csv.writerow(mft_rows)
if self.options.json is not None:
with open(self.options.json, 'a') as outfile:
json.dump(mft.mft_to_json(record), outfile)
outfile.write('\n')
if self.options.csvtimefile is not None:
self.file_csv_time.write(mft.mft_to_l2t(record))
if self.options.bodyfile is not None:
self.file_body.write(
mft.mft_to_body(record, self.options.bodyfull,
self.options.bodystd))
if self.options.progress:
if self.num_records % (self.mftsize /
5) == 0 and self.num_records > 0:
print 'Building MFT: {0:.0f}'.format(
100.0 * self.num_records / self.mftsize) + '%'
def process_mft_file(self):
self.sizecheck()
self.build_filepaths()
#reset the file reading
self.num_records = 0
self.file_mft.seek(0)
raw_record = self.file_mft.read(1024)
if self.options.output != None:
self.file_csv.writerow(mft.mft_to_csv(None, True, self.options))
while raw_record != "":
record = {}
record = mft.parse_record(raw_record, self.options)
if self.options.debug: print record
record['filename'] = self.mft[self.num_records]['filename']
self.do_output(record)
self.num_records = self.num_records + 1
if record['ads'] > 0:
for i in range(0, record['ads']):
# print "ADS: %s" % (record['data_name', i])
record_ads = record.copy()
record_ads['filename'] = record['filename'] + ':' + record['data_name', i]
self.do_output(record_ads)
raw_record = self.file_mft.read(1024)
def do_output(self, record):
if self.options.inmemory:
self.fullmft[self.num_records] = record
if self.options.output is not None:
self.file_csv.writerow(mft.mft_to_csv(record, False, self.options))
if self.options.json is not None:
with open(self.options.json, 'a') as outfile:
json.dump(mft.mft_to_json(record), outfile)
outfile.write('\n')
if self.options.csvtimefile is not None:
self.file_csv_time.write(mft.mft_to_l2t(record))
if self.options.bodyfile is not None:
self.file_body.write(mft.mft_to_body(record, self.options.bodyfull, self.options.bodystd))
if self.options.progress:
if self.num_records % (self.mftsize / 5) == 0 and self.num_records > 0:
print 'Building MFT: {0:.0f}'.format(100.0 * self.num_records / self.mftsize) + '%'
def do_output(self, record):
if self.output != None:
self.file_csv.writerow(mft.mft_to_csv(record, False))
if self.num_records % (self.mftsize / 5) == 0 and self.num_records > 0:
self.logger.info('Building MFT: {0:.0f}'.format(100.0 *
self.num_records /
self.mftsize) +
'%')
def process_mft_file(self):
self.sizecheck()
self.build_filepaths()
#reset the file reading
self.num_records = 0
self.file_mft.seek(0)
raw_record = self.file_mft.read(1024)
if self.options.output != None:
self.file_csv.writerow(mft.mft_to_csv(None, True))
while raw_record != "":
record = {}
record = mft.parse_record(raw_record, self.options)
if self.options.debug: print record
record['filename'] = self.mft[self.num_records]['filename']
if self.options.inmemory:
self.fullmft[self.num_records] = record
if self.options.output != None:
self.file_csv.writerow(mft.mft_to_csv(record, False))
if self.options.csvtimefile != None:
self.file_csv_time.write(mft.mft_to_l2t(record))
if self.options.bodyfile != None:
self.file_body.write(mft.mft_to_body(record, self.options.bodyfull, self.options.bodystd))
if self.options.progress:
if self.num_records % (self.mftsize/5) == 0 and self.num_records > 0:
print 'Building MFT: {0:.0f}'.format(100.0*self.num_records/self.mftsize) + '%'
self.num_records = self.num_records + 1
raw_record = self.file_mft.read(1024)
def do_output(self, record):
if self.options.inmemory:
self.fullmft[self.num_records] = record
if self.options.output != None:
self.file_csv.writerow(mft.mft_to_csv(record, False, self.options))
if self.options.csvtimefile != None:
self.file_csv_time.write(mft.mft_to_l2t(record))
if self.options.bodyfile != None:
self.file_body.write(mft.mft_to_body(record, self.options.bodyfull, self.options.bodystd))
if self.options.progress:
if self.num_records % (self.mftsize/5) == 0 and self.num_records > 0:
print 'Building MFT: {0:.0f}'.format(100.0*self.num_records/self.mftsize) + '%'
def do_output(self, record):
if self.options.inmemory:
self.fullmft[self.num_records] = record
if self.options.output is not None:
all_record = []
recordx = mft.mft_to_csv(record, False, self.options)
if 'Corrupt' in recordx:
pass
elif recordx[8] == 'NoSIRecord':
pass
else:
app = {}
app['RecordNumber'] = recordx[0]
app['Good'] = recordx[1]
app['Active'] = recordx[2]
app['Recordtype'] = recordx[3]
app['SequenceNumber'] = recordx[4]
#app['ParentFileRec']= recordx[5]
app['ParentFileRec_Seq_'] = recordx[6]
app['Filename_1'] = recordx[7]
app['StdInfoCreationdate'] = recordx[8].replace(' ', 'T')
try:
date = parser.parse(recordx[8]).isoformat()
except:
date = '1700-01-01T00:00:00'
date = parser.parse(date)
date = date.isoformat()
app['@timestamp'] = date
app['StdInfoModificationdate'] = recordx[9].replace(' ', 'T')
app['StdInfoAccessdate'] = recordx[10].replace(' ', 'T')
app['StdInfoEntrydate'] = recordx[11].replace(' ', 'T')
app['FNInfoCreationdate'] = recordx[12]
app['FNInfoModificationdate'] = recordx[13].replace(' ', 'T')
app['FNInfoAccessdate'] = recordx[14]
app['FNInfoEntrydate'] = recordx[15]
app['BirthVolumeID'] = recordx[16]
app['BirthObjectID'] = recordx[17]
app['BirthDomainID'] = recordx[18]
app['Filename_2'] = recordx[19]
app['FNInfoCreationdate'] = recordx[20].replace(' ', 'T')
app['FNInfoModifydate'] = recordx[21].replace(' ', 'T')
app['FNInfoAccessdate'] = recordx[22].replace(' ', 'T')
app['FNInfoEntrydate'] = recordx[23].replace(' ', 'T')
app['Filename_3'] = recordx[24]
app['FNInfoCreationdate'] = recordx[25].replace(' ', 'T')
app['FNInfoModifydate'] = recordx[26].replace(' ', 'T')
app['FNInfoAccessdate'] = recordx[27].replace(' ', 'T')
app['FNInfoEntrydate'] = recordx[28].replace(' ', 'T')
app['Filename_4'] = recordx[29]
app['FNInfoCreationdate'] = recordx[30].replace(' ', 'T')
app['FNInfoModifydate'] = recordx[31].replace(' ', 'T')
app['FNInfoAccessdate'] = recordx[32].replace(' ', 'T')
app['FNInfoEntrydate'] = recordx[33].replace(' ', 'T')
app['StandardInformation'] = recordx[34]
app['AttributeList'] = recordx[35]
app['Filename'] = recordx[36]
app['ObjectID'] = recordx[37]
app['VolumeName'] = recordx[38]
app['VolumeInfo'] = recordx[39]
app['Data'] = recordx[40]
app['IndexRoot'] = recordx[41]
app['IndexAllocation'] = recordx[42]
app['Bitmap'] = recordx[43]
app['ReparsePoint'] = recordx[44]
app['EAInformation'] = recordx[45]
app['EA'] = recordx[46]
app['PropertySet'] = recordx[47]
app['LoggedUtilityStream'] = recordx[48]
app['Log/Notes'] = recordx[49]
app['STFFNShift'] = recordx[50]
app['uSecZero'] = recordx[51]
app['ADS'] = recordx[52]
app['PossibleCopy'] = recordx[53]
app['PossibleVolumeMove'] = recordx[54]
app = dict((k, str(v)) for k, v in app.iteritems())
all_record.append(app)
return app
# self.file_csv.writerow(mft.mft_to_csv(record, False, self.options))
if self.options.json is not None:
#print record
#print "\n"
with open(self.options.json, 'a') as outfile:
json.dump(mft.mft_to_json(record), outfile)
outfile.write('\n')
if self.options.csvtimefile is not None:
self.file_csv_time.write(mft.mft_to_l2t(record))
if self.options.bodyfile is not None:
self.file_body.write(
mft.mft_to_body(record, self.options.bodyfull,
self.options.bodystd))
if self.options.progress:
if self.num_records % (self.mftsize /
5) == 0 and self.num_records > 0:
print 'Building MFT: {0:.0f}'.format(
100.0 * self.num_records / self.mftsize) + '%'
def do_output(self, record):
if self.output != None:
self.file_csv.writerow(mft.mft_to_csv(record, False))
if self.num_records % (self.mftsize / 5) == 0 and self.num_records > 0:
self.logger.info('Building MFT: {0:.0f}'.format(100.0 * self.num_records / self.mftsize) + '%')