file_reference_mft_entry
# carve out the logfile (inum 2) and store in local temporary file
mft.extract_data(inum=2, output_file=logfile_file.name, stream=0)
# carve out the $UsnJrnl (inum searched for above) and store in local temporary file
mft.extract_data(inum=usn_jrnl_inum,
output_file=usnjrnl_file.name,
stream=0)
# pass the temporary logfile-file into the $LogFile class and parse it
log_file = LogFile(dump_dir=args.dump_dir, file_name=logfile_file.name)
log_file.parse_all()
log_file.connect_transactions()
# pass the temporary usnjrnl-file into the $UsnJrnl class and parse it
usn_jrnl = UsnJrnl(usnjrnl_file.name)
usn_jrnl.parse()
# close the temporary files as all the needed data is in the local variables usn_jrnl and log_file
usnjrnl_file.close()
logfile_file.close()
# $UsnJrnl records ordered by MFT entry
usnjrnl_grouped = usn_jrnl.grouped_by_entry
# If no inum has been given as input go through all the available data,
# else use the given inum to search for the inum related information
# Both ways, we build our structure in meantime
data_list = []
if not args.inum:
# For each entry in our $UsnJrnl items (grouped by MFT entry)
attributes[AttributeTypeEnum.INDEX_ROOT][0].\
entries[AttributeTypeEnum.FILE_NAME]['$UsnJrnl'].\
file_reference_mft_entry
# carve out the logfile (inum 2) and store in local temporary file
mft.extract_data(inum=2, output_file=logfile_file.name, stream=0)
# carve out the $UsnJrnl (inum searched for above) and store in local temporary file
mft.extract_data(inum=usn_jrnl_inum, output_file=usnjrnl_file.name, stream=0)
# pass the temporary logfile-file into the $LogFile class and parse it
log_file = LogFile(dump_dir=args.dump_dir, file_name=logfile_file.name)
log_file.parse_all()
log_file.connect_transactions()
# pass the temporary usnjrnl-file into the $UsnJrnl class and parse it
usn_jrnl = UsnJrnl(usnjrnl_file.name)
usn_jrnl.parse()
# close the temporary files as all the needed data is in the local variables usn_jrnl and log_file
usnjrnl_file.close()
logfile_file.close()
# $UsnJrnl records ordered by MFT entry
usnjrnl_grouped = usn_jrnl.grouped_by_entry
# If no inum has been given as input go through all the available data,
# else use the given inum to search for the inum related information
# Both ways, we build our structure in meantime
data_list = []
if not args.inum:
# For each entry in our $UsnJrnl items (grouped by MFT entry)
from argparse import ArgumentParser
from time import process_time
import sys
from ntfs_parse import UsnJrnl
def parse_args(argument_string):
parser = ArgumentParser()
parser.add_argument('-f',
help='File containing the UsnJrnl',
dest='file')
parser.add_argument('-e',
help='Output file',
dest='output')
parser.add_argument('-n',
help='Number of records to parse. If left out, all will be parsed.',
dest='number',
type=int)
return parser.parse_args(argument_string)
if __name__ == '__main__':
args = parse_args(sys.argv[1:])
usn_jrnl = UsnJrnl(args.file)
usn_jrnl.parse(number=args.number)
usn_jrnl.export_csv(args.output)
#!/usr/bin/python3
from argparse import ArgumentParser
from time import process_time
import sys
from ntfs_parse import UsnJrnl
def parse_args(argument_string):
parser = ArgumentParser()
parser.add_argument('-f', help='File containing the UsnJrnl', dest='file')
parser.add_argument('-e', help='Output file', dest='output')
parser.add_argument(
'-n',
help='Number of records to parse. If left out, all will be parsed.',
dest='number',
type=int)
return parser.parse_args(argument_string)
if __name__ == '__main__':
args = parse_args(sys.argv[1:])
usn_jrnl = UsnJrnl(args.file)
usn_jrnl.parse(number=args.number)
usn_jrnl.export_csv(args.output)