def get_summary(self, ver):
info_list = dict()
total_num = struct.unpack("<L", self.__destlist[4:8])[0]
info_list["Total Num of JumpList"] = total_num
num_action = self.__destlist[24:32]
info_list["Total Num of Add/Delete/Open action"] = num_action[0]
netbiosname = self.__destlist[104:120]
entryidnumber = struct.unpack("<L", self.__destlist[120:124])
info_list["Netbios"] = decode_str(
netbiosname) #netbiosname.replace('\x00','')
time = struct.unpack("<Q", self.__destlist[132:140])
last_acc_time = convert_time(time[0])
info_list["TimeZone"] = last_acc_time.strftime("%Z")
info_list["Last Access Time"] = last_acc_time.strftime(
"%Y-%m-%d %H:%M:%S")
cnt = struct.unpack("<L", self.__destlist[148:152])
info_list["Access Count"] = cnt[0]
if ver == 7:
len_stringdata = struct.unpack("<H", self.__destlist[144:146])
destlist_stringdata = self.__destlist[146:146 +
len_stringdata[0] * 2]
info_list["Data String"] = decode_str(
destlist_stringdata) # destlist_stringdata.decode('utf-16')
elif ver == 10:
len_stringdata = struct.unpack("<H", self.__destlist[160:162])
destlist_stringdata = self.__destlist[162:162 +
2 * len_stringdata[0]]
info_list["Data String"] = destlist_stringdata.decode('utf-16')
return [info_list]
def __time(self):
json_list = []
self.__file.seek(16)
filedatetime = struct.unpack_from('<q', self.__file.read(8))[0]
filedatetime = convert_time.convert_time(filedatetime)
deleted_time = filedatetime.strftime("%Y-%m-%d %H:%M:%S")
time_zone = filedatetime.strftime("%Z")
rc_obj = {"Time Zone": time_zone,
"File Deleted Time": deleted_time}
json.dumps(rc_obj)
json_list.append(rc_obj)
return json_list
def __write_time(self):
self.__file.seek(44)
w_time = self.__file.read(8)
w_time = struct.unpack('<q', w_time)[0]
w_time = convert_time.convert_time(w_time)
write_time = w_time.strftime("%Y-%m-%d %H:%M:%S")
time_zone = w_time.strftime('%Z')
lnk_list = []
lnk_obj = {"TimeZone": time_zone, 'Target File Write Time': write_time}
json.dumps(lnk_obj)
lnk_list.append(lnk_obj)
return lnk_list
def __access_time(self):
self.__file.seek(36)
a_time = self.__file.read(8)
a_time = struct.unpack_from('<q', a_time)[0]
a_time = convert_time.convert_time(a_time)
acess_time = a_time.strftime("%Y-%m-%d %H:%M:%S")
time_zone = a_time.strftime('%Z')
lnk_list = []
lnk_obj = {
"TimeZone": time_zone,
'Target File Access Time': acess_time
}
json.dumps(lnk_obj)
lnk_list.append(lnk_obj)
return lnk_list
def __creation_time(self):
self.__file.seek(28)
c_time = self.__file.read(8)
c_time = struct.unpack('<q', c_time)
c_time = convert_time.convert_time(c_time)
creation_time = c_time.strftime("%Y-%m-%d %H:%M:%S")
time_zone = c_time.strftime('%Z')
lnk_list = []
lnk_obj = {
'TimeZone': time_zone,
'Target File Creation Time': creation_time
}
json.dumps(lnk_obj)
lnk_list.append(lnk_obj)
return lnk_list
def __parse(self):
result = []
start_offset = self.__read_unil_value()
while True:
self.__file.seek(start_offset)
info_list = dict()
record_size = self.__file.read(4)
if record_size == b'':
break
elif record_size == b'\x00\x00\x00\x00':
start_offset = self.__read_unil_value()
else:
record_size = struct.unpack("<I", record_size)
start_offset = start_offset + record_size[0]
self.__file.read(12)
parent_mft_r_num = self.__file.read(8)
info_list["USN"] = struct.unpack("<Q", self.__file.read(8))[0]
ts_time = struct.unpack("<Q", self.__file.read(8))
if ts_time[0] == 0:
continue
try:
usn_time = convert_time(ts_time[0])
info_list["Timezone"] = usn_time.strftime("%Z")
info_list["Time"] = usn_time.strftime("%Y-%m-%d %H:%M:%S")
except OverflowError:
info_list["Time"] = 'none'
info_list["Event Info"] = self.__reason_flag(self.__file.read(4))
source_info = struct.unpack("<I", self.__file.read(4))[0]
if source_info == 0:
info_list["Source"] = "User"
elif source_info == 1:
info_list["Source"] = "OS"
else:
info_list["Source"] = "Others"
security_id = self.__file.read(4).decode()
info_list["File Attribute"] = self.__file_attr(
self.__file.read(4)) # file_attr)
name_size = struct.unpack("<H", self.__file.read(2))[0]
offset_name = self.__file.read(2)
try:
name = self.__file.read(name_size)
info_list["Filename"] = name.decode('utf-16')
except UnicodeDecodeError:
info_list["Filename"] = 'cannot decode'
result.append(info_list)
return result
def __last_launch_time(self):
json_list = []
self.__file.seek(128)
if self.__file_version == 23:
end = 1
else:
end = 8
for i in range(0, end):
time = struct.unpack_from("<Q", self.__file.read(8))[0]
time = convert_time.convert_time(time)
last_launch_time = time.strftime("%Y-%m-%d %H:%M:%S")
time_zone = time.strftime("%Z")
pf_obj = {
"TimeZone": time_zone,
"File Last Launch Time": last_launch_time
}
json.dumps(pf_obj)
json_list.append(pf_obj)
return json_list
def __metadata_info(self):
json_list = []
self.__file.seek(108)
metadata_info_offset = struct.unpack_from('<I', self.__file.read(4))[0]
num_metadata_record = struct.unpack_from('<I', self.__file.read(4))[0]
self.__file.seek(metadata_info_offset)
volume_device_path_off = struct.unpack_from('<I',
self.__file.read(4))[0]
volume_device_path_off = metadata_info_offset + volume_device_path_off
volume_device_path_length = struct.unpack_from('<I',
self.__file.read(4))[0]
volume_device_path_length = volume_device_path_length * 2
time = struct.unpack_from("<Q", self.__file.read(8))[0]
time = convert_time.convert_time(time)
volume_creation_time = time.strftime("%Y-%m-%d %H:%M:%S")
time_zone = time.strftime('%Z')
volume_serial_num = struct.unpack_from('<I', self.__file.read(4))[0]
self.__file.seek(volume_device_path_off)
volume_device_path = self.__file.read(volume_device_path_length)
volume_device_path = volume_device_path.decode('utf16', 'ignore')
volume_device_path = volume_device_path.replace('\x00', '')
pf_obj = {
"Num Metadata Records": str(num_metadata_record),
"Volume Device Path": str(volume_device_path),
"TimeZone": time_zone,
"Volume Creation Time": volume_creation_time,
"Volume Serial Num": str(volume_serial_num)
}
json.dumps(pf_obj)
json_list.append(pf_obj)
return json_list
def __stream(self):
for i in range(0, len(self.__streams)):
data = self.__file.openstream(self.__streams[i])
file_data = data.read()
header_value = file_data[:4]
if header_value is b'':
pass
elif header_value[0] == 76:
data_list = dict()
lnk_flag = struct.unpack("<L", file_data[20:24])
lnk_flag = BitArray(hex(lnk_flag[0]))
link_flag = self.__link_flag(lnk_flag.bin)
file_attr = struct.unpack("<I", file_data[24:28])
file_attr = BitArray(hex(file_attr[0]))
flag_attr = self.__lnk_attrib(file_attr.bin)
# data_list["file attribute"] = flag_attr
data_list["TimeZone"] = 'UTC +00:00'
c_time = struct.unpack("<Q", file_data[28:36])
data_list["create time"] = convert_time(
c_time[0]).strftime("%Y-%m-%d %H:%M:%S")
a_time = struct.unpack("<Q", file_data[36:44])
data_list["access time"] = convert_time(
a_time[0]).strftime("%Y-%m-%d %H:%M:%S")
w_time = struct.unpack("<Q", file_data[44:52])
data_list["write time"] = convert_time(
w_time[0]).strftime("%Y-%m-%d %H:%M:%S")
data_list["file size"] = self.__file.get_size(
self.__streams[i])
file_size = struct.unpack("<L", file_data[52:56])[0]
data_list["target file size"] = file_size
lnk_id_list_size = struct.unpack('<H', file_data[76:78])
lnk_info_size = struct.unpack(
'<L', file_data[78 + lnk_id_list_size[0]:82 +
lnk_id_list_size[0]])
path_offset = struct.unpack(
'<L', file_data[94 + lnk_id_list_size[0]:94 +
lnk_id_list_size[0] + 4])
try:
volumeid_offset = struct.unpack(
"<L", file_data[90 + lnk_id_list_size[0]:90 +
lnk_id_list_size[0] + 4])
volumeid_size = struct.unpack(
"<L", file_data[78 + lnk_id_list_size[0] +
volumeid_offset[0]:volumeid_offset[0] +
82 + lnk_id_list_size[0]])
drivetype = struct.unpack(
"<L", file_data[82 + lnk_id_list_size[0] +
volumeid_offset[0]:volumeid_offset[0] +
86 + lnk_id_list_size[0]])
volumelabel_offset = struct.unpack(
"<L", file_data[90 + lnk_id_list_size[0] +
volumeid_offset[0]:volumeid_offset[0] +
94 + lnk_id_list_size[0]])
if volumelabel_offset[0] == 14:
offset1 = volumeid_size[0] - (4 + 4 + 4 + 4 + 4)
else:
offset1 = volumeid_size[0] - (4 + 4 + 4 + 4)
drive_serial_num = struct.unpack(
"<L", file_data[86 + lnk_id_list_size[0] +
volumeid_offset[0]:volumeid_offset[0] +
90 + lnk_id_list_size[0]])[0]
volumelabel = file_data[
volumeid_offset[0] + 94 +
lnk_id_list_size[0]:volumeid_offset[0] + 94 +
lnk_id_list_size[0] + offset1]
volumelabel = decode_str(volumelabel)
drivetype = self.__drive_type_list(drivetype[0])
except struct.error:
continue
if 'HasLinkInfo' in link_flag:
size = lnk_info_size[0] - path_offset[0]
local_path = file_data[78 + lnk_id_list_size[0] +
path_offset[0]:78 +
lnk_id_list_size[0] +
path_offset[0] + size]
data_list["Local Path"] = decode_str(local_path)
elif 'HasRelativePath' in link_flag:
net_offset = struct.unpack(
"<L", file_data[98 + lnk_id_list_size[0]:102 +
lnk_id_list_size[0]])
size = net_offset[0] - path_offset[0]
local_path = file_data[78 + lnk_id_list_size[0] +
path_offset[0]:78 +
lnk_id_list_size[0] +
path_offset[0] + size]
data_list["Local Path"] = decode_str(local_path)
data_list["drive type"] = drivetype
data_list["drive serial number"] = drive_serial_num
data_list["Volume Label"] = volumelabel
self.__json_list.append(data_list)
else:
self.__destlist = file_data
def __destlist_data(self, ver):
result = []
try:
total_num = struct.unpack("<L", self.__destlist[4:8])
entryidnumber = struct.unpack("<L", self.__destlist[120:124])
if ver == 7:
len_stringdata = struct.unpack("<H", self.__destlist[144:146])
offset = 146 + 2 * len_stringdata[0]
elif ver == 10:
len_stringdata = struct.unpack("<H", self.__destlist[160:162])
offset = 166 + 2 * len_stringdata[0]
for entry in range(total_num[0] - 1):
if entryidnumber[0] > 1:
info_list = dict()
if ver == 10:
mac = self.__destlist[offset + 34:offset + 40]
info_list["MAC(new)"] = format(
mac[0], '02x') + ':' + format(
mac[1], '02x') + ':' + format(
mac[2], '02x') + ':' + format(
mac[3], '02x') + ':' + format(
mac[4], '02x') + ':' + format(
mac[5], '02x')
mac = self.__destlist[offset + 66:offset + 72]
info_list["MAC(birth)"] = format(
mac[0], '02x') + ':' + format(
mac[1], '02x') + ':' + format(
mac[2], '02x') + ':' + format(
mac[3], '02x') + ':' + format(
mac[4], '02x') + ':' + format(
mac[5], '02x')
netbiosname = self.__destlist[offset + 72:offset + 88]
try:
info_list["netbios"] = netbiosname.decode(
'ascii').replace('\x00', '')
except UnicodeDecodeError:
info_list["netbios"] = 'cannot decode'
entryidnumber = struct.unpack(
"<L", self.__destlist[offset + 88:offset + 92])
last_access_time = struct.unpack(
"<Q", self.__destlist[offset + 100:offset + 108])
last_acc_time = convert_time(last_access_time[0])
info_list["TimeZone"] = last_acc_time.strftime("%Z")
info_list["last access time"] = last_acc_time.strftime(
"%Y-%m-%d %H:%M:%S")
access_cnt = struct.unpack(
"<L", self.__destlist[offset + 116:offset + 120])
info_list["access count"] = access_cnt[0]
len_stringdata = struct.unpack(
"<H", self.__destlist[offset + 128:offset + 130])
offset_new = offset + 130 + 2 * len_stringdata[0]
string_data = self.__destlist[offset + 130:offset_new]
info_list["data"] = string_data.decode('utf-16')
offset = offset_new + 4
result.append(info_list)
elif ver == 7:
try:
mac = self.__destlist[offset + 34:offset + 40]
info_list["MAC(new)"] = format(
mac[0], '02x') + ':' + format(
mac[1], '02x') + ':' + format(
mac[2], '02x') + ':' + format(
mac[3], '02x') + ':' + format(
mac[4], '02x') + ':' + format(
mac[5], '02x')
mac = self.__destlist[offset + 66:offset + 72]
info_list["MAC(birth)"] = format(
mac[0], '02x') + ':' + format(
mac[1], '02x') + ':' + format(
mac[2], '02x') + ':' + format(
mac[3], '02x') + ':' + format(
mac[4], '02x') + ':' + format(
mac[5], '02x')
netbiosname = self.__destlist[offset + 72:offset +
88]
try:
info_list["netbios"] = netbiosname.decode(
'ascii').replace('\x00', '')
except UnicodeDecodeError:
info_list["netbios"] = 'cannot decode'
entryidnumber = struct.unpack(
"<Q", self.__destlist[offset + 88:offset + 96])
last_access_time = struct.unpack(
"<Q",
self.__destlist[offset + 100:offset + 108])
last_acc_time = convert_time(last_access_time[0])
info_list["TimeZone"] = last_acc_time.strftime(
"%Z")
info_list[
"last access time"] = last_acc_time.strftime(
"%Y-%m-%d %H:%M:%S")
len_stringdata = struct.unpack(
"<H",
self.__destlist[offset + 112:offset + 114])
offset_new = offset + 114 + 2 * len_stringdata[0]
string_data = self.__destlist[offset +
114:offset_new]
info_list["data"] = string_data.decode('utf-16')
new_time = struct.unpack(
"<Q", self.__destlist[offset + 24:offset + 32])
if new_time[0] == 0:
info_list["new time"] = 'non info'
else:
new_time2 = self.__convert_hex(hex(
new_time[0]))
info_list["new time"] = convert_time(
new_time2 - 5748192000000000).strftime(
"%Y-%m-%d %H:%M:%S")
birth_time = struct.unpack(
"<Q", self.__destlist[offset + 56:offset + 64])
if birth_time[0] == 0:
info_list["birth time"] = 'non info'
else:
birth_time2 = self.__convert_hex(
hex(birth_time[0]))
info_list["birth time"] = convert_time(
birth_time2 - 5748192000000000).strftime(
"%Y-%m-%d %H:%M:%S")
offset = offset_new
result.append(info_list)
except:
pass
except struct.error:
pass
except AttributeError:
pass
return result
def __parse(self):
edb_data_table = self.__file.get_table_by_name("SystemIndex_0A")
no = 0
for row in edb_data_table.records:
no += 1
mkdict = dict()
mkdict["index"] = no
mkdict["type"] = "window search.edb"
mkdict["timezone"] = convert_time.convert_time(0).strftime("%Z")
mkdict["DocID"] = row.get_value_data_as_integer(0)
mkdict["FileName"] = row.get_value_data_as_string(31).split(
'\\')[-1]
if row.get_value_data(5) is None:
mkdict["System_DateModified"] = convert_time.convert_time(
0).strftime("%Y-%m-%d %H:%M:%S")
else:
mkdict["System_DateModified"] = convert_time.convert_time(
int(bytes.decode(binascii.hexlify(row.get_value_data(5))),
16)).strftime("%Y-%m-%d %H:%M:%S")
if row.get_value_data(6) is None:
mkdict["System_DateCreated"] = convert_time.convert_time(
0).strftime("%Y-%m-%d %H:%M:%S")
else:
mkdict["System_DateCreated"] = convert_time.convert_time(
int(bytes.decode(binascii.hexlify(row.get_value_data(6))),
16)).strftime("%Y-%m-%d %H:%M:%S")
if row.get_value_data(7) is None:
mkdict["System_DateAccessed"] = convert_time.convert_time(
0).strftime("%Y-%m-%d %H:%M:%S")
else:
mkdict["System_DateAccessed"] = convert_time.convert_time(
int(bytes.decode(binascii.hexlify(row.get_value_data(7))),
16)).strftime("%Y-%m-%d %H:%M:%S")
mkdict["System_IsFolder"] = int(
bytes.decode(binascii.hexlify(row.get_value_data(19))), 16)
if mkdict["System_IsFolder"] == 1 or row.get_value_data(3) is None:
mkdict["System_Size"] = ""
else:
mkdict["System_Size"] = int(
bytes.decode(binascii.hexlify(row.get_value_data(3))), 16)
mkdict["System_MIMEType"] = row.get_value_data_as_string(21)
mkdict["System_ItemPathDisplay"] = row.get_value_data_as_string(31)
if row.get_value_data(193) is None:
mkdict["System_Search_AutoSummary"] = ""
else:
mkdict["System_Search_AutoSummary"] = ""
# data1 = row.get_value_data(193)
# data = bytes.decode(binascii.hexlify(row.get_value_data(193)))
mkdict["System_ItemTypeText"] = row.get_value_data_as_string(253)
mkdict["System_FileExtension"] = row.get_value_data_as_string(262)
mkdict[
"System_ItemPathDisplayNarrow"] = row.get_value_data_as_string(
284)
mkdict["System_FileName"] = row.get_value_data_as_string(363)
self.winsearch_list.append(mkdict)
def __parse_info(self):
result = []
for size in range(0, self.__mft_size):
self.file.seek(1024 * size)
info_list = dict()
self.file.read(8)
info_list["LSN"] = struct.unpack("<Q", self.file.read(8))[0]
self.file.read(4)
offset_first = struct.unpack("<H", self.file.read(2))[0]
flags = self.file.read(2)
used_size = struct.unpack("<H", self.file.read(2))[0]
if used_size == 64:
continue
allocated_size = struct.unpack("<I", self.file.read(4))[0]
file_refernce = unpack48(self.file.read(8))
sequence_value = file_refernce[0]
mft_entry_number = file_refernce[1]
next_attr_id = struct.unpack("<H", self.file.read(2))[0]
next_id = self.file.read(2)
self.file.seek(1024 * size + offset_first)
self.file.read(8)
resident_flag = self.file.read(1)
resident_flag = struct.unpack("<B", resident_flag)[0]
self.file.seek(3, 1)
# name_length = struct.unpack("<B", self.file.read(1))[0]
# offset_name = struct.unpack("<H", self.file.read(2))[0]
self.file.read(4)
if resident_flag is 0: # resident
self.file.read(8)
else: # non-resident
self.file.read(48)
# $STANDARD_INFORMATION
c_time = struct.unpack("<Q", self.file.read(8))
if c_time[0] == 0:
continue
try:
sin_creation_time = convert_time(c_time[0])
info_list["TimeZone"] = sin_creation_time.strftime("%Z")
info_list["SIN Creation Time"] = sin_creation_time.strftime(
"%Y-%m-%d %H:%M:%S")
except OverflowError:
continue
m_time = struct.unpack("<Q", self.file.read(8))
try:
info_list["SIN Modified Time"] = convert_time(
m_time[0]).strftime("%Y-%m-%d %H:%M:%S")
except OverflowError:
continue
mft_modified_time = struct.unpack("<Q", self.file.read(8))
try:
info_list["SIN MFT Modified Time"] = convert_time(
mft_modified_time[0]).strftime("%Y-%m-%d %H:%M:%S")
except OverflowError:
continue
a_time = struct.unpack("<Q", self.file.read(8))
try:
info_list["SIN Last Accessed Time"] = convert_time(
a_time[0]).strftime("%Y-%m-%d %H:%M:%S")
except OverflowError:
continue
self.file.read(40)
file_name_off = self.file.tell()
# $FILE_NAME
if struct.unpack("<I", self.file.read(4))[0] == 48:
attr_len = struct.unpack("<I", self.file.read(4))[0]
self.file.read(1)
#resident_flag = struct.unpack("<B", self.file.read(1))[0]
name_length = struct.unpack("<B", self.file.read(1))[0]
offset_name = struct.unpack("<H", self.file.read(2))[0]
self.file.read(12)
file_refernce = BitArray(
self.file.read(8)).unpack('uintle:48, <H')
parent_sequence_value = file_refernce[1]
parent_mft_entry_number = file_refernce[0]
c_time = struct.unpack("<Q", self.file.read(8))
try:
info_list["FIN Creation Time"] = convert_time(
c_time[0]).strftime("%Y-%m-%d %H:%M:%S")
except OverflowError:
info_list["FIN Creation Time"] = 'none'
m_time = struct.unpack("<Q", self.file.read(8))
try:
info_list["FIN Modified Time"] = convert_time(
m_time[0]).strftime("%Y-%m-%d %H:%M:%S")
except OverflowError:
info_list["FIN Modified Time"] = 'none'
mft_modified_time = struct.unpack("<Q", self.file.read(8))
try:
info_list["FIN MFT Modified Time"] = convert_time(
mft_modified_time[0]).strftime("%Y-%m-%d %H:%M:%S")
except OverflowError:
info_list["FIN MFT Modified Time"] = 'none'
a_time = struct.unpack("<q", self.file.read(8))
try:
info_list["FIN Last Accessed Time"] = convert_time(
a_time[0]).strftime("%Y-%m-%d %H:%M:%S")
except OverflowError:
info_list["FIN Last Accessed Time"] = 'none'
self.file.read(8) # file allocation size
info_list["File Size"] = struct.unpack("<Q",
self.file.read(8))[0]
# info_list["MFT Entry Num"] = mft_entry_number
# info_list["Parent MFT Entry Num"] = parent_mft_entry_number
self.file.read(8)
name_length = struct.unpack("<B", self.file.read(1))[0]
name_type = struct.unpack("<B", self.file.read(1))[0]
if name_type == 2:
try:
self.file.read(name_length * 2).decode('utf-16')
self.file.read(attr_len -
(self.file.tell() - file_name_off))
self.file.read(88)
name_length = struct.unpack("<B", self.file.read(1))[0]
self.file.read(1)
info_list["Name"] = self.file.read(name_length *
2).decode('utf-16')
except UnicodeDecodeError:
info_list["Name"] = "Unable To Decode Filename"
else:
try:
info_list["Name"] = self.file.read(name_length *
2).decode('utf-16')
except UnicodeDecodeError:
info_list["Name"] = "Unable To Decode Filename"
path_list = []
while True:
parent_result = self.__find_parent(parent_mft_entry_number)
parent_mft_entry_number = parent_result[1]
parent_name = parent_result[0]
if parent_name == 'None' or parent_name == '.':
break
else:
path_list.append(parent_name)
path = ''
for p in reversed(path_list):
path = path + str(p) + '\\'
info_list["Parent"] = path
else:
info_list["FIN Creation Time"] = ''
info_list["FIN Modified Time"] = ''
info_list["FIN MFT Modified Time"] = ''
info_list["FIN Last Accessed Time"] = ''
info_list["File Size"] = ''
info_list["Name"] = ''
info_list["Parent"] = ''
result.append(info_list)
return result
