# get the inum (MFT entry number) of the $UsnJrnl --> located in $Extend|$INDEX_ROOT attribute
usn_jrnl_inum = mft.entries[11].\
attributes[AttributeTypeEnum.INDEX_ROOT][0].\
entries[AttributeTypeEnum.FILE_NAME]['$UsnJrnl'].\
file_reference_mft_entry
# carve out the logfile (inum 2) and store in local temporary file
mft.extract_data(inum=2, output_file=logfile_file.name, stream=0)
# carve out the $UsnJrnl (inum searched for above) and store in local temporary file
mft.extract_data(inum=usn_jrnl_inum,
output_file=usnjrnl_file.name,
stream=0)
# pass the temporary logfile-file into the $LogFile class and parse it
log_file = LogFile(dump_dir=args.dump_dir, file_name=logfile_file.name)
log_file.parse_all()
log_file.connect_transactions()
# pass the temporary usnjrnl-file into the $UsnJrnl class and parse it
usn_jrnl = UsnJrnl(usnjrnl_file.name)
usn_jrnl.parse()
# close the temporary files as all the needed data is in the local variables usn_jrnl and log_file
usnjrnl_file.close()
logfile_file.close()
# $UsnJrnl records ordered by MFT entry
usnjrnl_grouped = usn_jrnl.grouped_by_entry
# If no inum has been given as input go through all the available data,
help='Number of pages to parse. If left out, all pages are parsed',
dest='num',
type=int)
parser.add_argument('-q',
help='Select what LSN\'s to output (parsed). Comma separated.',
dest='lsns')
parser.add_argument('-p',
help='Put program in performance measurement mode',
action="store_true")
return parser.parse_args()
if __name__ == '__main__':
args = parse_args(sys.argv[1:])
data = LogFile(dump_dir=args.dump_dir, file_name=args.file_name, performance=args.p)
data.parse_all(args.num)
if args.export_type == 'parsed':
data.export_parsed(export_file=args.export_file)
elif args.export_type == 'csv':
data.connect_transactions()
data.export_csv(export_file=args.export_file)
elif args.export_type == 'transaction':
data.connect_transactions()
#data.print_transactions(export_file=args.export_file)
#data.print_faulty_transactions(export_file=args.export_file)
data.export_transactions(export_file=args.export_file)
elif args.export_type == 'parsedlsns':
data.connect_transactions()
data.export_parsed_lsns(export_file=args.export_file, lsn_numbers=[int(num) for num in args.lsns.split(',')])
mft = MFT(image_name=args.image, boot_sector=sector)
mft.parse_all()
# get the inum (MFT entry number) of the $UsnJrnl --> located in $Extend|$INDEX_ROOT attribute
usn_jrnl_inum = mft.entries[11].\
attributes[AttributeTypeEnum.INDEX_ROOT][0].\
entries[AttributeTypeEnum.FILE_NAME]['$UsnJrnl'].\
file_reference_mft_entry
# carve out the logfile (inum 2) and store in local temporary file
mft.extract_data(inum=2, output_file=logfile_file.name, stream=0)
# carve out the $UsnJrnl (inum searched for above) and store in local temporary file
mft.extract_data(inum=usn_jrnl_inum, output_file=usnjrnl_file.name, stream=0)
# pass the temporary logfile-file into the $LogFile class and parse it
log_file = LogFile(dump_dir=args.dump_dir, file_name=logfile_file.name)
log_file.parse_all()
log_file.connect_transactions()
# pass the temporary usnjrnl-file into the $UsnJrnl class and parse it
usn_jrnl = UsnJrnl(usnjrnl_file.name)
usn_jrnl.parse()
# close the temporary files as all the needed data is in the local variables usn_jrnl and log_file
usnjrnl_file.close()
logfile_file.close()
# $UsnJrnl records ordered by MFT entry
usnjrnl_grouped = usn_jrnl.grouped_by_entry
# If no inum has been given as input go through all the available data,
type=int)
parser.add_argument(
'-q',
help='Select what LSN\'s to output (parsed). Comma separated.',
dest='lsns')
parser.add_argument('-p',
help='Put program in performance measurement mode',
action="store_true")
return parser.parse_args()
if __name__ == '__main__':
args = parse_args(sys.argv[1:])
data = LogFile(dump_dir=args.dump_dir,
file_name=args.file_name,
performance=args.p)
data.parse_all(args.num)
if args.export_type == 'parsed':
data.export_parsed(export_file=args.export_file)
elif args.export_type == 'csv':
data.connect_transactions()
data.export_csv(export_file=args.export_file)
elif args.export_type == 'transaction':
data.connect_transactions()
#data.print_transactions(export_file=args.export_file)
#data.print_faulty_transactions(export_file=args.export_file)
data.export_transactions(export_file=args.export_file)
elif args.export_type == 'parsedlsns':
data.connect_transactions()
