# Parse the MFT first sector = BootSector(image_name=args.image, offset_sectors=args.offset_sectors, offset_bytes=args.offset_bytes, sector_size=args.sector_size) mft = MFT(image_name=args.image, boot_sector=sector) mft.parse_all() # get the inum (MFT entry number) of the $UsnJrnl --> located in $Extend|$INDEX_ROOT attribute usn_jrnl_inum = mft.entries[11].\ attributes[AttributeTypeEnum.INDEX_ROOT][0].\ entries[AttributeTypeEnum.FILE_NAME]['$UsnJrnl'].\ file_reference_mft_entry # carve out the logfile (inum 2) and store in local temporary file mft.extract_data(inum=2, output_file=logfile_file.name, stream=0) # carve out the $UsnJrnl (inum searched for above) and store in local temporary file mft.extract_data(inum=usn_jrnl_inum, output_file=usnjrnl_file.name, stream=0) # pass the temporary logfile-file into the $LogFile class and parse it log_file = LogFile(dump_dir=args.dump_dir, file_name=logfile_file.name) log_file.parse_all() log_file.connect_transactions() # pass the temporary usnjrnl-file into the $UsnJrnl class and parse it usn_jrnl = UsnJrnl(usnjrnl_file.name) usn_jrnl.parse() # close the temporary files as all the needed data is in the local variables usn_jrnl and log_file
# Parse the MFT first sector = BootSector(image_name=args.image, offset_sectors=args.offset_sectors, offset_bytes=args.offset_bytes, sector_size=args.sector_size) mft = MFT(image_name=args.image, boot_sector=sector) mft.parse_all() # get the inum (MFT entry number) of the $UsnJrnl --> located in $Extend|$INDEX_ROOT attribute usn_jrnl_inum = mft.entries[11].\ attributes[AttributeTypeEnum.INDEX_ROOT][0].\ entries[AttributeTypeEnum.FILE_NAME]['$UsnJrnl'].\ file_reference_mft_entry # carve out the logfile (inum 2) and store in local temporary file mft.extract_data(inum=2, output_file=logfile_file.name, stream=0) # carve out the $UsnJrnl (inum searched for above) and store in local temporary file mft.extract_data(inum=usn_jrnl_inum, output_file=usnjrnl_file.name, stream=0) # pass the temporary logfile-file into the $LogFile class and parse it log_file = LogFile(dump_dir=args.dump_dir, file_name=logfile_file.name) log_file.parse_all() log_file.connect_transactions() # pass the temporary usnjrnl-file into the $UsnJrnl class and parse it usn_jrnl = UsnJrnl(usnjrnl_file.name) usn_jrnl.parse() # close the temporary files as all the needed data is in the local variables usn_jrnl and log_file usnjrnl_file.close() logfile_file.close()
mft = MFT(image_name=args.image, boot_sector=sector) # Export if args.action == 'export': # Parsing if args.inums == 'all': mft.parse_all() range = None else: range = InumRange(args.inums) mft.parse_inums(inum_range=range) # Exporting if args.export_type == 'parsed': mft.export_parsed(inum_range=range, export_file=args.export_file) elif args.export_type == 'csv': mft.export_csv(inum_range=range, export_file=args.export_file) elif args.export_type == 'raw': mft.export_raw(inum_range=range, export_file=args.export_file) # Extract data if args.action == 'extractdata': mft.parse_inum(args.inum) mft.extract_data(inum=args.inum, output_file=args.output_file, stream=args.data_stream) # Statistics if args.action == 'statistics': mft.parse_all() mft.print_statistics()
mft = MFT(image_name=args.image, boot_sector=sector) # Export if args.action == 'export': # Parsing if args.inums == 'all': mft.parse_all() range = None else: range = InumRange(args.inums) mft.parse_inums(inum_range=range) # Exporting if args.export_type == 'parsed': mft.export_parsed(inum_range=range, export_file=args.export_file) elif args.export_type == 'csv': mft.export_csv(inum_range=range, export_file=args.export_file) elif args.export_type == 'raw': mft.export_raw(inum_range=range, export_file=args.export_file) # Extract data if args.action == 'extractdata': mft.parse_inum(args.inum) mft.extract_data(inum=args.inum, output_file=args.output_file, stream=args.data_stream) # Statistics if args.action == 'statistics': mft.parse_all() mft.print_statistics()