Exemplo n.º 1
0
    def do_output(self, record):

        if self.options.inmemory:
            self.fullmft[self.num_records] = record

        if self.options.output is not None:
            self.file_csv.writerow(mft.mft_to_csv(record, False, self.options))

        if self.options.json is not None:
            with open(self.options.json, 'a') as outfile:
                json.dump(mft.mft_to_json(record), outfile)
                outfile.write('\n')

        if self.options.csvtimefile is not None:
            self.file_csv_time.write(mft.mft_to_l2t(record))

        if self.options.bodyfile is not None:
            self.file_body.write(
                mft.mft_to_body(record, self.options.bodyfull,
                                self.options.bodystd))

        if self.options.progress:
            if self.num_records % (self.mftsize /
                                   5) == 0 and self.num_records > 0:
                print 'Building MFT: {0:.0f}'.format(
                    100.0 * self.num_records / self.mftsize) + '%'
Exemplo n.º 2
0
    def do_output(self, record):

        if self.options.inmemory:
            self.fullmft[self.num_records] = record

        if self.options.output is not None:
            rows = mft.mft_to_csv(record, False, self.options)
            mft_rows = list()
            for row in rows:
                if type(row) is str:
                    mft_rows.append(row.decode('utf8').encode('cp949'))
                else:
                    mft_rows.append(row)
            self.file_csv.writerow(mft_rows)

        if self.options.json is not None:
            with open(self.options.json, 'a') as outfile:
                json.dump(mft.mft_to_json(record), outfile)
                outfile.write('\n')

        if self.options.csvtimefile is not None:
            self.file_csv_time.write(mft.mft_to_l2t(record))

        if self.options.bodyfile is not None:
            self.file_body.write(
                mft.mft_to_body(record, self.options.bodyfull,
                                self.options.bodystd))

        if self.options.progress:
            if self.num_records % (self.mftsize /
                                   5) == 0 and self.num_records > 0:
                print 'Building MFT: {0:.0f}'.format(
                    100.0 * self.num_records / self.mftsize) + '%'
Exemplo n.º 3
0
    def do_output(self, record):
        
        
        if self.options.inmemory:
            self.fullmft[self.num_records] = record

        if self.options.output is not None:
            self.file_csv.writerow(mft.mft_to_csv(record, False, self.options))
        
        if self.options.json is not None:    
            with open(self.options.json, 'a') as outfile:
                json.dump(mft.mft_to_json(record), outfile)
                outfile.write('\n')
            
        
 
    
            
        if self.options.csvtimefile is not None:
            self.file_csv_time.write(mft.mft_to_l2t(record))

        if self.options.bodyfile is not None:
            self.file_body.write(mft.mft_to_body(record, self.options.bodyfull, self.options.bodystd))

        if self.options.progress:
            if self.num_records % (self.mftsize / 5) == 0 and self.num_records > 0:
                print 'Building MFT: {0:.0f}'.format(100.0 * self.num_records / self.mftsize) + '%'
Exemplo n.º 4
0
     def do_output(self, record):
          
          if self.options.inmemory:
               self.fullmft[self.num_records] = record

          if self.options.output != None:
               self.file_csv.writerow(mft.mft_to_csv(record, False, self.options))

          if self.options.csvtimefile != None:
               self.file_csv_time.write(mft.mft_to_l2t(record))

          if self.options.bodyfile != None:
               self.file_body.write(mft.mft_to_body(record, self.options.bodyfull, self.options.bodystd))	

          if self.options.progress:
               if self.num_records % (self.mftsize/5) == 0 and self.num_records > 0:
                    print 'Building MFT: {0:.0f}'.format(100.0*self.num_records/self.mftsize) + '%'
Exemplo n.º 5
0
     def process_mft_file(self):
          
          self.sizecheck()
          		 
          self.build_filepaths()
          
          #reset the file reading
          self.num_records = 0
          self.file_mft.seek(0)
          raw_record = self.file_mft.read(1024)

          
          if self.options.output != None:
               self.file_csv.writerow(mft.mft_to_csv(None, True))                    

          while raw_record != "":

               record = {}
               record = mft.parse_record(raw_record, self.options)
               if self.options.debug: print record
               
               record['filename'] = self.mft[self.num_records]['filename']
               
               if self.options.inmemory:
                    self.fullmft[self.num_records] = record

               if self.options.output != None:
                    self.file_csv.writerow(mft.mft_to_csv(record, False))

               if self.options.csvtimefile != None:
                    self.file_csv_time.write(mft.mft_to_l2t(record))

               if self.options.bodyfile != None:
                    self.file_body.write(mft.mft_to_body(record, self.options.bodyfull, self.options.bodystd))	

               if self.options.progress:
                    if self.num_records % (self.mftsize/5) == 0 and self.num_records > 0:
                         print 'Building MFT: {0:.0f}'.format(100.0*self.num_records/self.mftsize) + '%'

               self.num_records = self.num_records + 1
  
               raw_record = self.file_mft.read(1024)   
Exemplo n.º 6
0
    def do_output(self, record):

        if self.options.inmemory:
            self.fullmft[self.num_records] = record

        if self.options.output is not None:
            all_record = []
            recordx = mft.mft_to_csv(record, False, self.options)
            if 'Corrupt' in recordx:
                pass
            elif recordx[8] == 'NoSIRecord':
                pass
            else:
                app = {}
                app['RecordNumber'] = recordx[0]
                app['Good'] = recordx[1]
                app['Active'] = recordx[2]
                app['Recordtype'] = recordx[3]
                app['SequenceNumber'] = recordx[4]
                #app['ParentFileRec']= recordx[5]
                app['ParentFileRec_Seq_'] = recordx[6]
                app['Filename_1'] = recordx[7]
                app['StdInfoCreationdate'] = recordx[8].replace(' ', 'T')
                try:
                    date = parser.parse(recordx[8]).isoformat()
                except:
                    date = '1700-01-01T00:00:00'
                    date = parser.parse(date)
                    date = date.isoformat()
                app['@timestamp'] = date
                app['StdInfoModificationdate'] = recordx[9].replace(' ', 'T')
                app['StdInfoAccessdate'] = recordx[10].replace(' ', 'T')
                app['StdInfoEntrydate'] = recordx[11].replace(' ', 'T')
                app['FNInfoCreationdate'] = recordx[12]
                app['FNInfoModificationdate'] = recordx[13].replace(' ', 'T')
                app['FNInfoAccessdate'] = recordx[14]
                app['FNInfoEntrydate'] = recordx[15]
                app['BirthVolumeID'] = recordx[16]
                app['BirthObjectID'] = recordx[17]
                app['BirthDomainID'] = recordx[18]
                app['Filename_2'] = recordx[19]
                app['FNInfoCreationdate'] = recordx[20].replace(' ', 'T')
                app['FNInfoModifydate'] = recordx[21].replace(' ', 'T')
                app['FNInfoAccessdate'] = recordx[22].replace(' ', 'T')
                app['FNInfoEntrydate'] = recordx[23].replace(' ', 'T')
                app['Filename_3'] = recordx[24]
                app['FNInfoCreationdate'] = recordx[25].replace(' ', 'T')
                app['FNInfoModifydate'] = recordx[26].replace(' ', 'T')
                app['FNInfoAccessdate'] = recordx[27].replace(' ', 'T')
                app['FNInfoEntrydate'] = recordx[28].replace(' ', 'T')
                app['Filename_4'] = recordx[29]
                app['FNInfoCreationdate'] = recordx[30].replace(' ', 'T')
                app['FNInfoModifydate'] = recordx[31].replace(' ', 'T')
                app['FNInfoAccessdate'] = recordx[32].replace(' ', 'T')
                app['FNInfoEntrydate'] = recordx[33].replace(' ', 'T')
                app['StandardInformation'] = recordx[34]
                app['AttributeList'] = recordx[35]
                app['Filename'] = recordx[36]
                app['ObjectID'] = recordx[37]
                app['VolumeName'] = recordx[38]
                app['VolumeInfo'] = recordx[39]
                app['Data'] = recordx[40]
                app['IndexRoot'] = recordx[41]
                app['IndexAllocation'] = recordx[42]
                app['Bitmap'] = recordx[43]
                app['ReparsePoint'] = recordx[44]
                app['EAInformation'] = recordx[45]
                app['EA'] = recordx[46]
                app['PropertySet'] = recordx[47]
                app['LoggedUtilityStream'] = recordx[48]
                app['Log/Notes'] = recordx[49]
                app['STFFNShift'] = recordx[50]
                app['uSecZero'] = recordx[51]
                app['ADS'] = recordx[52]
                app['PossibleCopy'] = recordx[53]
                app['PossibleVolumeMove'] = recordx[54]
                app = dict((k, str(v)) for k, v in app.iteritems())
                all_record.append(app)
                return app
            # self.file_csv.writerow(mft.mft_to_csv(record, False, self.options))

        if self.options.json is not None:
            #print record
            #print "\n"
            with open(self.options.json, 'a') as outfile:
                json.dump(mft.mft_to_json(record), outfile)
                outfile.write('\n')

        if self.options.csvtimefile is not None:
            self.file_csv_time.write(mft.mft_to_l2t(record))

        if self.options.bodyfile is not None:
            self.file_body.write(
                mft.mft_to_body(record, self.options.bodyfull,
                                self.options.bodystd))

        if self.options.progress:
            if self.num_records % (self.mftsize /
                                   5) == 0 and self.num_records > 0:
                print 'Building MFT: {0:.0f}'.format(
                    100.0 * self.num_records / self.mftsize) + '%'