# Parse the MFT first
sector = BootSector(image_name=args.image,
offset_sectors=args.offset_sectors,
offset_bytes=args.offset_bytes,
sector_size=args.sector_size)
mft = MFT(image_name=args.image, boot_sector=sector)
mft.parse_all()
# get the inum (MFT entry number) of the $UsnJrnl --> located in $Extend|$INDEX_ROOT attribute
usn_jrnl_inum = mft.entries[11].\
attributes[AttributeTypeEnum.INDEX_ROOT][0].\
entries[AttributeTypeEnum.FILE_NAME]['$UsnJrnl'].\
file_reference_mft_entry
# carve out the logfile (inum 2) and store in local temporary file
mft.extract_data(inum=2, output_file=logfile_file.name, stream=0)
# carve out the $UsnJrnl (inum searched for above) and store in local temporary file
mft.extract_data(inum=usn_jrnl_inum,
output_file=usnjrnl_file.name,
stream=0)
# pass the temporary logfile-file into the $LogFile class and parse it
log_file = LogFile(dump_dir=args.dump_dir, file_name=logfile_file.name)
log_file.parse_all()
log_file.connect_transactions()
# pass the temporary usnjrnl-file into the $UsnJrnl class and parse it
usn_jrnl = UsnJrnl(usnjrnl_file.name)
usn_jrnl.parse()
# close the temporary files as all the needed data is in the local variables usn_jrnl and log_file
# Parse the MFT first
sector = BootSector(image_name=args.image,
offset_sectors=args.offset_sectors,
offset_bytes=args.offset_bytes,
sector_size=args.sector_size)
mft = MFT(image_name=args.image, boot_sector=sector)
mft.parse_all()
# get the inum (MFT entry number) of the $UsnJrnl --> located in $Extend|$INDEX_ROOT attribute
usn_jrnl_inum = mft.entries[11].\
attributes[AttributeTypeEnum.INDEX_ROOT][0].\
entries[AttributeTypeEnum.FILE_NAME]['$UsnJrnl'].\
file_reference_mft_entry
# carve out the logfile (inum 2) and store in local temporary file
mft.extract_data(inum=2, output_file=logfile_file.name, stream=0)
# carve out the $UsnJrnl (inum searched for above) and store in local temporary file
mft.extract_data(inum=usn_jrnl_inum, output_file=usnjrnl_file.name, stream=0)
# pass the temporary logfile-file into the $LogFile class and parse it
log_file = LogFile(dump_dir=args.dump_dir, file_name=logfile_file.name)
log_file.parse_all()
log_file.connect_transactions()
# pass the temporary usnjrnl-file into the $UsnJrnl class and parse it
usn_jrnl = UsnJrnl(usnjrnl_file.name)
usn_jrnl.parse()
# close the temporary files as all the needed data is in the local variables usn_jrnl and log_file
usnjrnl_file.close()
logfile_file.close()
mft = MFT(image_name=args.image, boot_sector=sector)
# Export
if args.action == 'export':
# Parsing
if args.inums == 'all':
mft.parse_all()
range = None
else:
range = InumRange(args.inums)
mft.parse_inums(inum_range=range)
# Exporting
if args.export_type == 'parsed':
mft.export_parsed(inum_range=range, export_file=args.export_file)
elif args.export_type == 'csv':
mft.export_csv(inum_range=range, export_file=args.export_file)
elif args.export_type == 'raw':
mft.export_raw(inum_range=range, export_file=args.export_file)
# Extract data
if args.action == 'extractdata':
mft.parse_inum(args.inum)
mft.extract_data(inum=args.inum,
output_file=args.output_file,
stream=args.data_stream)
# Statistics
if args.action == 'statistics':
mft.parse_all()
mft.print_statistics()
mft = MFT(image_name=args.image, boot_sector=sector)
# Export
if args.action == 'export':
# Parsing
if args.inums == 'all':
mft.parse_all()
range = None
else:
range = InumRange(args.inums)
mft.parse_inums(inum_range=range)
# Exporting
if args.export_type == 'parsed':
mft.export_parsed(inum_range=range, export_file=args.export_file)
elif args.export_type == 'csv':
mft.export_csv(inum_range=range, export_file=args.export_file)
elif args.export_type == 'raw':
mft.export_raw(inum_range=range, export_file=args.export_file)
# Extract data
if args.action == 'extractdata':
mft.parse_inum(args.inum)
mft.extract_data(inum=args.inum, output_file=args.output_file, stream=args.data_stream)
# Statistics
if args.action == 'statistics':
mft.parse_all()
mft.print_statistics()
