Python _MftSessionの例、_analyzemft.mftsession._MftSession Pythonの例

コード例 #1

0

ファイルを表示

 def json_mft(self):
     for path_current_mft in self.__extract_mft():
         if self.mft_export:
             session = _MftSession(
                 self.logger, path_current_mft,
                 path_current_mft.replace('.mft', '.json'), True)
             session.open_files()
             session.process_mft_file()

コード例 #2

0

ファイルを表示

ファイル: dump.py プロジェクト: SekoiaLab/Fastir_Collector

 def json_mft(self):
     for path_current_mft in self.__extract_mft():
         if self.mft_export:
             session = _MftSession(self.logger,
                                   path_current_mft,
                                   path_current_mft.replace('.mft', '.json')
                                   ,True)
             session.open_files()
             session.process_mft_file()

コード例 #3

0

ファイルを表示

 def csv_mft(self):
     """Exports the MFT from each local drives and creates a csv from it."""
     # export on csv
     for path_current_mft in self.__extract_mft():
         if self.mft_export:
             session = _MftSession(
                 self.logger, path_current_mft,
                 path_current_mft.replace('.mft', self.rand_ext))
             session.open_files()
             session.process_mft_file()

コード例 #4

0

ファイルを表示

ファイル: dump.py プロジェクト: SekoiaLab/Fastir_Collector

 def csv_mft(self):
     """Exports the MFT from each local drives and creates a csv from it."""
     # export on csv
     for path_current_mft in self.__extract_mft():
         if self.mft_export:
             session = _MftSession(self.logger,
                                   path_current_mft,
                                   path_current_mft.replace('.mft', self.rand_ext)
                                   )
             session.open_files()
             session.process_mft_file()

コード例 #5

0

ファイルを表示

    def csv_mft(self):
        """Exports the MFT from each local drives and creates a csv from it."""
        local_drives = get_local_drives()
        for local_drive in local_drives:
            self.logger.info('Exporting MFT for drive : ' + local_drive)
            ntfsdrive = file('\\\\.\\' + local_drive.replace('\\', ''), 'rb')
            if os.name == 'nt':
                # poor win can't seek a drive to individual bytes..only 1 sector at a time..
                # convert MBR to stringio to make it seekable
                ntfs = ntfsdrive.read(512)
                ntfsfile = StringIO(ntfs)
            else:
                ntfsfile = ntfsdrive

                # parse the MBR for this drive to get the bytes per sector,sectors per cluster and MFT location.
            # bytes per sector
            ntfsfile.seek(0x0b)
            bytesPerSector = ntfsfile.read(WORDSIZE)
            bytesPerSector = struct.unpack(
                b'<h', binascii.unhexlify(binascii.hexlify(bytesPerSector)))[0]

            # sectors per cluster

            ntfsfile.seek(0x0d)
            sectorsPerCluster = ntfsfile.read(BYTESIZE)
            sectorsPerCluster = struct.unpack(
                b'<b',
                binascii.unhexlify(binascii.hexlify(sectorsPerCluster)))[0]

            # get mftlogical cluster number
            ntfsfile.seek(0x30)
            cno = ntfsfile.read(LONGLONGSIZE)
            mftClusterNumber = struct.unpack(
                b'<q', binascii.unhexlify(binascii.hexlify(cno)))[0]

            # MFT is then at NTFS + (bytesPerSector*sectorsPerCluster*mftClusterNumber)
            mftloc = long(bytesPerSector * sectorsPerCluster *
                          mftClusterNumber)
            ntfsdrive.seek(0)
            ntfsdrive.seek(mftloc)
            mftraw = ntfsdrive.read(1024)

            # We've got the MFT record for the MFT itself.
            # parse it to the DATA section, decode the data runs and send the MFT over TCP
            mftDict = {}
            mftDict['attr_off'] = struct.unpack(b"<H", mftraw[20:22])[0]
            ReadPtr = mftDict['attr_off']
            with open(
                    self.output_dir + '\\' + self.computer_name + '_mft_' +
                    local_drive[0] + '.mft', 'wb') as output:
                while ReadPtr < len(mftraw):
                    ATRrecord = decodeATRHeader(mftraw[ReadPtr:])
                    if ATRrecord['type'] == 0x80:
                        dataruns = mftraw[ReadPtr +
                                          ATRrecord['run_off']:ReadPtr +
                                          ATRrecord['len']]
                        prevCluster = None
                        prevSeek = 0
                        for length, cluster in decode_data_runs(dataruns):
                            if prevCluster == None:
                                ntfsdrive.seek(cluster * bytesPerSector *
                                               sectorsPerCluster)
                                prevSeek = ntfsdrive.tell()
                                r_data = ntfsdrive.read(length *
                                                        bytesPerSector *
                                                        sectorsPerCluster)
                                output.write(r_data)
                                prevCluster = cluster
                            else:
                                ntfsdrive.seek(prevSeek)
                                newpos = prevSeek + (cluster * bytesPerSector *
                                                     sectorsPerCluster)
                                ntfsdrive.seek(newpos)
                                prevSeek = ntfsdrive.tell()
                                r_data = ntfsdrive.read(length *
                                                        bytesPerSector *
                                                        sectorsPerCluster)
                                output.write(r_data)
                                prevCluster = cluster
                        break
                    if ATRrecord['len'] > 0:
                        ReadPtr = ReadPtr + ATRrecord['len']
            # export on csv
            if self.mft_export:
                session = _MftSession(
                    self.logger, self.output_dir + '\\' + self.computer_name +
                    '_mft_' + local_drive[0] + '.mft',
                    self.output_dir + '\\' + self.computer_name + '_mft_' +
                    local_drive[0] + self.rand_ext)
                session.open_files()
                session.process_mft_file()

コード例 #6

0

ファイルを表示

ファイル: dump.py プロジェクト: fo0nikens/Fastir_Collector

    def csv_mft(self):
        """Exports the MFT from each local drives and creates a csv from it."""
        local_drives = get_local_drives()
        for local_drive in local_drives:
            self.logger.info('Exporting MFT for drive : ' + local_drive)
            ntfsdrive = file('\\\\.\\' + local_drive.replace('\\', ''), 'rb')
            if os.name == 'nt':
                # poor win can't seek a drive to individual bytes..only 1 sector at a time..
                # convert MBR to stringio to make it seekable
                ntfs = ntfsdrive.read(512)
                ntfsfile = StringIO(ntfs)
            else:
                ntfsfile = ntfsdrive

                # parse the MBR for this drive to get the bytes per sector,sectors per cluster and MFT location.
            # bytes per sector
            ntfsfile.seek(0x0b)
            bytesPerSector = ntfsfile.read(WORDSIZE)
            bytesPerSector = struct.unpack(b'<h', binascii.unhexlify(binascii.hexlify(bytesPerSector)))[0]

            # sectors per cluster

            ntfsfile.seek(0x0d)
            sectorsPerCluster = ntfsfile.read(BYTESIZE)
            sectorsPerCluster = struct.unpack(b'<b', binascii.unhexlify(binascii.hexlify(sectorsPerCluster)))[0]

            # get mftlogical cluster number
            ntfsfile.seek(0x30)
            cno = ntfsfile.read(LONGLONGSIZE)
            mftClusterNumber = struct.unpack(b'<q', binascii.unhexlify(binascii.hexlify(cno)))[0]

            # MFT is then at NTFS + (bytesPerSector*sectorsPerCluster*mftClusterNumber)
            mftloc = long(bytesPerSector * sectorsPerCluster * mftClusterNumber)
            ntfsdrive.seek(0)
            ntfsdrive.seek(mftloc)
            mftraw = ntfsdrive.read(1024)

            # We've got the MFT record for the MFT itself.
            # parse it to the DATA section, decode the data runs and send the MFT over TCP
            mftDict = {}
            mftDict['attr_off'] = struct.unpack(b"<H", mftraw[20:22])[0]
            ReadPtr = mftDict['attr_off']
            with open(self.output_dir + '\\' + self.computer_name + '_mft_' + local_drive[0] + '.mft', 'wb') as output:
                while ReadPtr < len(mftraw):
                    ATRrecord = decodeATRHeader(mftraw[ReadPtr:])
                    if ATRrecord['type'] == 0x80:
                        dataruns = mftraw[ReadPtr + ATRrecord['run_off']:ReadPtr + ATRrecord['len']]
                        prevCluster = None
                        prevSeek = 0
                        for length, cluster in decode_data_runs(dataruns):
                            if prevCluster == None:
                                ntfsdrive.seek(cluster * bytesPerSector * sectorsPerCluster)
                                prevSeek = ntfsdrive.tell()
                                r_data = ntfsdrive.read(length * bytesPerSector * sectorsPerCluster)
                                output.write(r_data)
                                prevCluster = cluster
                            else:
                                ntfsdrive.seek(prevSeek)
                                newpos = prevSeek + (cluster * bytesPerSector * sectorsPerCluster)
                                ntfsdrive.seek(newpos)
                                prevSeek = ntfsdrive.tell()
                                r_data = ntfsdrive.read(length * bytesPerSector * sectorsPerCluster)
                                output.write(r_data)
                                prevCluster = cluster
                        break
                    if ATRrecord['len'] > 0:
                        ReadPtr = ReadPtr + ATRrecord['len']
            # export on csv
            if self.mft_export:
                session = _MftSession(self.logger,
                                      self.output_dir + '\\' + self.computer_name + '_mft_' + local_drive[0] + '.mft',
                                      self.output_dir + '\\' + self.computer_name + '_mft_' + local_drive[0] + '.csv')
                session.open_files()
                session.process_mft_file()