def get_summary(self, ver): info_list = dict() total_num = struct.unpack("<L", self.__destlist[4:8])[0] info_list["Total Num of JumpList"] = total_num num_action = self.__destlist[24:32] info_list["Total Num of Add/Delete/Open action"] = num_action[0] netbiosname = self.__destlist[104:120] entryidnumber = struct.unpack("<L", self.__destlist[120:124]) info_list["Netbios"] = decode_str( netbiosname) #netbiosname.replace('\x00','') time = struct.unpack("<Q", self.__destlist[132:140]) last_acc_time = convert_time(time[0]) info_list["TimeZone"] = last_acc_time.strftime("%Z") info_list["Last Access Time"] = last_acc_time.strftime( "%Y-%m-%d %H:%M:%S") cnt = struct.unpack("<L", self.__destlist[148:152]) info_list["Access Count"] = cnt[0] if ver == 7: len_stringdata = struct.unpack("<H", self.__destlist[144:146]) destlist_stringdata = self.__destlist[146:146 + len_stringdata[0] * 2] info_list["Data String"] = decode_str( destlist_stringdata) # destlist_stringdata.decode('utf-16') elif ver == 10: len_stringdata = struct.unpack("<H", self.__destlist[160:162]) destlist_stringdata = self.__destlist[162:162 + 2 * len_stringdata[0]] info_list["Data String"] = destlist_stringdata.decode('utf-16') return [info_list]
def __time(self): json_list = [] self.__file.seek(16) filedatetime = struct.unpack_from('<q', self.__file.read(8))[0] filedatetime = convert_time.convert_time(filedatetime) deleted_time = filedatetime.strftime("%Y-%m-%d %H:%M:%S") time_zone = filedatetime.strftime("%Z") rc_obj = {"Time Zone": time_zone, "File Deleted Time": deleted_time} json.dumps(rc_obj) json_list.append(rc_obj) return json_list
def __write_time(self): self.__file.seek(44) w_time = self.__file.read(8) w_time = struct.unpack('<q', w_time)[0] w_time = convert_time.convert_time(w_time) write_time = w_time.strftime("%Y-%m-%d %H:%M:%S") time_zone = w_time.strftime('%Z') lnk_list = [] lnk_obj = {"TimeZone": time_zone, 'Target File Write Time': write_time} json.dumps(lnk_obj) lnk_list.append(lnk_obj) return lnk_list
def __access_time(self): self.__file.seek(36) a_time = self.__file.read(8) a_time = struct.unpack_from('<q', a_time)[0] a_time = convert_time.convert_time(a_time) acess_time = a_time.strftime("%Y-%m-%d %H:%M:%S") time_zone = a_time.strftime('%Z') lnk_list = [] lnk_obj = { "TimeZone": time_zone, 'Target File Access Time': acess_time } json.dumps(lnk_obj) lnk_list.append(lnk_obj) return lnk_list
def __creation_time(self): self.__file.seek(28) c_time = self.__file.read(8) c_time = struct.unpack('<q', c_time) c_time = convert_time.convert_time(c_time) creation_time = c_time.strftime("%Y-%m-%d %H:%M:%S") time_zone = c_time.strftime('%Z') lnk_list = [] lnk_obj = { 'TimeZone': time_zone, 'Target File Creation Time': creation_time } json.dumps(lnk_obj) lnk_list.append(lnk_obj) return lnk_list
def __parse(self): result = [] start_offset = self.__read_unil_value() while True: self.__file.seek(start_offset) info_list = dict() record_size = self.__file.read(4) if record_size == b'': break elif record_size == b'\x00\x00\x00\x00': start_offset = self.__read_unil_value() else: record_size = struct.unpack("<I", record_size) start_offset = start_offset + record_size[0] self.__file.read(12) parent_mft_r_num = self.__file.read(8) info_list["USN"] = struct.unpack("<Q", self.__file.read(8))[0] ts_time = struct.unpack("<Q", self.__file.read(8)) if ts_time[0] == 0: continue try: usn_time = convert_time(ts_time[0]) info_list["Timezone"] = usn_time.strftime("%Z") info_list["Time"] = usn_time.strftime("%Y-%m-%d %H:%M:%S") except OverflowError: info_list["Time"] = 'none' info_list["Event Info"] = self.__reason_flag(self.__file.read(4)) source_info = struct.unpack("<I", self.__file.read(4))[0] if source_info == 0: info_list["Source"] = "User" elif source_info == 1: info_list["Source"] = "OS" else: info_list["Source"] = "Others" security_id = self.__file.read(4).decode() info_list["File Attribute"] = self.__file_attr( self.__file.read(4)) # file_attr) name_size = struct.unpack("<H", self.__file.read(2))[0] offset_name = self.__file.read(2) try: name = self.__file.read(name_size) info_list["Filename"] = name.decode('utf-16') except UnicodeDecodeError: info_list["Filename"] = 'cannot decode' result.append(info_list) return result
def __last_launch_time(self): json_list = [] self.__file.seek(128) if self.__file_version == 23: end = 1 else: end = 8 for i in range(0, end): time = struct.unpack_from("<Q", self.__file.read(8))[0] time = convert_time.convert_time(time) last_launch_time = time.strftime("%Y-%m-%d %H:%M:%S") time_zone = time.strftime("%Z") pf_obj = { "TimeZone": time_zone, "File Last Launch Time": last_launch_time } json.dumps(pf_obj) json_list.append(pf_obj) return json_list
def __metadata_info(self): json_list = [] self.__file.seek(108) metadata_info_offset = struct.unpack_from('<I', self.__file.read(4))[0] num_metadata_record = struct.unpack_from('<I', self.__file.read(4))[0] self.__file.seek(metadata_info_offset) volume_device_path_off = struct.unpack_from('<I', self.__file.read(4))[0] volume_device_path_off = metadata_info_offset + volume_device_path_off volume_device_path_length = struct.unpack_from('<I', self.__file.read(4))[0] volume_device_path_length = volume_device_path_length * 2 time = struct.unpack_from("<Q", self.__file.read(8))[0] time = convert_time.convert_time(time) volume_creation_time = time.strftime("%Y-%m-%d %H:%M:%S") time_zone = time.strftime('%Z') volume_serial_num = struct.unpack_from('<I', self.__file.read(4))[0] self.__file.seek(volume_device_path_off) volume_device_path = self.__file.read(volume_device_path_length) volume_device_path = volume_device_path.decode('utf16', 'ignore') volume_device_path = volume_device_path.replace('\x00', '') pf_obj = { "Num Metadata Records": str(num_metadata_record), "Volume Device Path": str(volume_device_path), "TimeZone": time_zone, "Volume Creation Time": volume_creation_time, "Volume Serial Num": str(volume_serial_num) } json.dumps(pf_obj) json_list.append(pf_obj) return json_list
def __stream(self): for i in range(0, len(self.__streams)): data = self.__file.openstream(self.__streams[i]) file_data = data.read() header_value = file_data[:4] if header_value is b'': pass elif header_value[0] == 76: data_list = dict() lnk_flag = struct.unpack("<L", file_data[20:24]) lnk_flag = BitArray(hex(lnk_flag[0])) link_flag = self.__link_flag(lnk_flag.bin) file_attr = struct.unpack("<I", file_data[24:28]) file_attr = BitArray(hex(file_attr[0])) flag_attr = self.__lnk_attrib(file_attr.bin) # data_list["file attribute"] = flag_attr data_list["TimeZone"] = 'UTC +00:00' c_time = struct.unpack("<Q", file_data[28:36]) data_list["create time"] = convert_time( c_time[0]).strftime("%Y-%m-%d %H:%M:%S") a_time = struct.unpack("<Q", file_data[36:44]) data_list["access time"] = convert_time( a_time[0]).strftime("%Y-%m-%d %H:%M:%S") w_time = struct.unpack("<Q", file_data[44:52]) data_list["write time"] = convert_time( w_time[0]).strftime("%Y-%m-%d %H:%M:%S") data_list["file size"] = self.__file.get_size( self.__streams[i]) file_size = struct.unpack("<L", file_data[52:56])[0] data_list["target file size"] = file_size lnk_id_list_size = struct.unpack('<H', file_data[76:78]) lnk_info_size = struct.unpack( '<L', file_data[78 + lnk_id_list_size[0]:82 + lnk_id_list_size[0]]) path_offset = struct.unpack( '<L', file_data[94 + lnk_id_list_size[0]:94 + lnk_id_list_size[0] + 4]) try: volumeid_offset = struct.unpack( "<L", file_data[90 + lnk_id_list_size[0]:90 + lnk_id_list_size[0] + 4]) volumeid_size = struct.unpack( "<L", file_data[78 + lnk_id_list_size[0] + volumeid_offset[0]:volumeid_offset[0] + 82 + lnk_id_list_size[0]]) drivetype = struct.unpack( "<L", file_data[82 + lnk_id_list_size[0] + volumeid_offset[0]:volumeid_offset[0] + 86 + lnk_id_list_size[0]]) volumelabel_offset = struct.unpack( "<L", file_data[90 + lnk_id_list_size[0] + volumeid_offset[0]:volumeid_offset[0] + 94 + lnk_id_list_size[0]]) if volumelabel_offset[0] == 14: offset1 = volumeid_size[0] - (4 + 4 + 4 + 4 + 4) else: offset1 = volumeid_size[0] - (4 + 4 + 4 + 4) drive_serial_num = struct.unpack( "<L", file_data[86 + lnk_id_list_size[0] + volumeid_offset[0]:volumeid_offset[0] + 90 + lnk_id_list_size[0]])[0] volumelabel = file_data[ volumeid_offset[0] + 94 + lnk_id_list_size[0]:volumeid_offset[0] + 94 + lnk_id_list_size[0] + offset1] volumelabel = decode_str(volumelabel) drivetype = self.__drive_type_list(drivetype[0]) except struct.error: continue if 'HasLinkInfo' in link_flag: size = lnk_info_size[0] - path_offset[0] local_path = file_data[78 + lnk_id_list_size[0] + path_offset[0]:78 + lnk_id_list_size[0] + path_offset[0] + size] data_list["Local Path"] = decode_str(local_path) elif 'HasRelativePath' in link_flag: net_offset = struct.unpack( "<L", file_data[98 + lnk_id_list_size[0]:102 + lnk_id_list_size[0]]) size = net_offset[0] - path_offset[0] local_path = file_data[78 + lnk_id_list_size[0] + path_offset[0]:78 + lnk_id_list_size[0] + path_offset[0] + size] data_list["Local Path"] = decode_str(local_path) data_list["drive type"] = drivetype data_list["drive serial number"] = drive_serial_num data_list["Volume Label"] = volumelabel self.__json_list.append(data_list) else: self.__destlist = file_data
def __destlist_data(self, ver): result = [] try: total_num = struct.unpack("<L", self.__destlist[4:8]) entryidnumber = struct.unpack("<L", self.__destlist[120:124]) if ver == 7: len_stringdata = struct.unpack("<H", self.__destlist[144:146]) offset = 146 + 2 * len_stringdata[0] elif ver == 10: len_stringdata = struct.unpack("<H", self.__destlist[160:162]) offset = 166 + 2 * len_stringdata[0] for entry in range(total_num[0] - 1): if entryidnumber[0] > 1: info_list = dict() if ver == 10: mac = self.__destlist[offset + 34:offset + 40] info_list["MAC(new)"] = format( mac[0], '02x') + ':' + format( mac[1], '02x') + ':' + format( mac[2], '02x') + ':' + format( mac[3], '02x') + ':' + format( mac[4], '02x') + ':' + format( mac[5], '02x') mac = self.__destlist[offset + 66:offset + 72] info_list["MAC(birth)"] = format( mac[0], '02x') + ':' + format( mac[1], '02x') + ':' + format( mac[2], '02x') + ':' + format( mac[3], '02x') + ':' + format( mac[4], '02x') + ':' + format( mac[5], '02x') netbiosname = self.__destlist[offset + 72:offset + 88] try: info_list["netbios"] = netbiosname.decode( 'ascii').replace('\x00', '') except UnicodeDecodeError: info_list["netbios"] = 'cannot decode' entryidnumber = struct.unpack( "<L", self.__destlist[offset + 88:offset + 92]) last_access_time = struct.unpack( "<Q", self.__destlist[offset + 100:offset + 108]) last_acc_time = convert_time(last_access_time[0]) info_list["TimeZone"] = last_acc_time.strftime("%Z") info_list["last access time"] = last_acc_time.strftime( "%Y-%m-%d %H:%M:%S") access_cnt = struct.unpack( "<L", self.__destlist[offset + 116:offset + 120]) info_list["access count"] = access_cnt[0] len_stringdata = struct.unpack( "<H", self.__destlist[offset + 128:offset + 130]) offset_new = offset + 130 + 2 * len_stringdata[0] string_data = self.__destlist[offset + 130:offset_new] info_list["data"] = string_data.decode('utf-16') offset = offset_new + 4 result.append(info_list) elif ver == 7: try: mac = self.__destlist[offset + 34:offset + 40] info_list["MAC(new)"] = format( mac[0], '02x') + ':' + format( mac[1], '02x') + ':' + format( mac[2], '02x') + ':' + format( mac[3], '02x') + ':' + format( mac[4], '02x') + ':' + format( mac[5], '02x') mac = self.__destlist[offset + 66:offset + 72] info_list["MAC(birth)"] = format( mac[0], '02x') + ':' + format( mac[1], '02x') + ':' + format( mac[2], '02x') + ':' + format( mac[3], '02x') + ':' + format( mac[4], '02x') + ':' + format( mac[5], '02x') netbiosname = self.__destlist[offset + 72:offset + 88] try: info_list["netbios"] = netbiosname.decode( 'ascii').replace('\x00', '') except UnicodeDecodeError: info_list["netbios"] = 'cannot decode' entryidnumber = struct.unpack( "<Q", self.__destlist[offset + 88:offset + 96]) last_access_time = struct.unpack( "<Q", self.__destlist[offset + 100:offset + 108]) last_acc_time = convert_time(last_access_time[0]) info_list["TimeZone"] = last_acc_time.strftime( "%Z") info_list[ "last access time"] = last_acc_time.strftime( "%Y-%m-%d %H:%M:%S") len_stringdata = struct.unpack( "<H", self.__destlist[offset + 112:offset + 114]) offset_new = offset + 114 + 2 * len_stringdata[0] string_data = self.__destlist[offset + 114:offset_new] info_list["data"] = string_data.decode('utf-16') new_time = struct.unpack( "<Q", self.__destlist[offset + 24:offset + 32]) if new_time[0] == 0: info_list["new time"] = 'non info' else: new_time2 = self.__convert_hex(hex( new_time[0])) info_list["new time"] = convert_time( new_time2 - 5748192000000000).strftime( "%Y-%m-%d %H:%M:%S") birth_time = struct.unpack( "<Q", self.__destlist[offset + 56:offset + 64]) if birth_time[0] == 0: info_list["birth time"] = 'non info' else: birth_time2 = self.__convert_hex( hex(birth_time[0])) info_list["birth time"] = convert_time( birth_time2 - 5748192000000000).strftime( "%Y-%m-%d %H:%M:%S") offset = offset_new result.append(info_list) except: pass except struct.error: pass except AttributeError: pass return result
def __parse(self): edb_data_table = self.__file.get_table_by_name("SystemIndex_0A") no = 0 for row in edb_data_table.records: no += 1 mkdict = dict() mkdict["index"] = no mkdict["type"] = "window search.edb" mkdict["timezone"] = convert_time.convert_time(0).strftime("%Z") mkdict["DocID"] = row.get_value_data_as_integer(0) mkdict["FileName"] = row.get_value_data_as_string(31).split( '\\')[-1] if row.get_value_data(5) is None: mkdict["System_DateModified"] = convert_time.convert_time( 0).strftime("%Y-%m-%d %H:%M:%S") else: mkdict["System_DateModified"] = convert_time.convert_time( int(bytes.decode(binascii.hexlify(row.get_value_data(5))), 16)).strftime("%Y-%m-%d %H:%M:%S") if row.get_value_data(6) is None: mkdict["System_DateCreated"] = convert_time.convert_time( 0).strftime("%Y-%m-%d %H:%M:%S") else: mkdict["System_DateCreated"] = convert_time.convert_time( int(bytes.decode(binascii.hexlify(row.get_value_data(6))), 16)).strftime("%Y-%m-%d %H:%M:%S") if row.get_value_data(7) is None: mkdict["System_DateAccessed"] = convert_time.convert_time( 0).strftime("%Y-%m-%d %H:%M:%S") else: mkdict["System_DateAccessed"] = convert_time.convert_time( int(bytes.decode(binascii.hexlify(row.get_value_data(7))), 16)).strftime("%Y-%m-%d %H:%M:%S") mkdict["System_IsFolder"] = int( bytes.decode(binascii.hexlify(row.get_value_data(19))), 16) if mkdict["System_IsFolder"] == 1 or row.get_value_data(3) is None: mkdict["System_Size"] = "" else: mkdict["System_Size"] = int( bytes.decode(binascii.hexlify(row.get_value_data(3))), 16) mkdict["System_MIMEType"] = row.get_value_data_as_string(21) mkdict["System_ItemPathDisplay"] = row.get_value_data_as_string(31) if row.get_value_data(193) is None: mkdict["System_Search_AutoSummary"] = "" else: mkdict["System_Search_AutoSummary"] = "" # data1 = row.get_value_data(193) # data = bytes.decode(binascii.hexlify(row.get_value_data(193))) mkdict["System_ItemTypeText"] = row.get_value_data_as_string(253) mkdict["System_FileExtension"] = row.get_value_data_as_string(262) mkdict[ "System_ItemPathDisplayNarrow"] = row.get_value_data_as_string( 284) mkdict["System_FileName"] = row.get_value_data_as_string(363) self.winsearch_list.append(mkdict)
def __parse_info(self): result = [] for size in range(0, self.__mft_size): self.file.seek(1024 * size) info_list = dict() self.file.read(8) info_list["LSN"] = struct.unpack("<Q", self.file.read(8))[0] self.file.read(4) offset_first = struct.unpack("<H", self.file.read(2))[0] flags = self.file.read(2) used_size = struct.unpack("<H", self.file.read(2))[0] if used_size == 64: continue allocated_size = struct.unpack("<I", self.file.read(4))[0] file_refernce = unpack48(self.file.read(8)) sequence_value = file_refernce[0] mft_entry_number = file_refernce[1] next_attr_id = struct.unpack("<H", self.file.read(2))[0] next_id = self.file.read(2) self.file.seek(1024 * size + offset_first) self.file.read(8) resident_flag = self.file.read(1) resident_flag = struct.unpack("<B", resident_flag)[0] self.file.seek(3, 1) # name_length = struct.unpack("<B", self.file.read(1))[0] # offset_name = struct.unpack("<H", self.file.read(2))[0] self.file.read(4) if resident_flag is 0: # resident self.file.read(8) else: # non-resident self.file.read(48) # $STANDARD_INFORMATION c_time = struct.unpack("<Q", self.file.read(8)) if c_time[0] == 0: continue try: sin_creation_time = convert_time(c_time[0]) info_list["TimeZone"] = sin_creation_time.strftime("%Z") info_list["SIN Creation Time"] = sin_creation_time.strftime( "%Y-%m-%d %H:%M:%S") except OverflowError: continue m_time = struct.unpack("<Q", self.file.read(8)) try: info_list["SIN Modified Time"] = convert_time( m_time[0]).strftime("%Y-%m-%d %H:%M:%S") except OverflowError: continue mft_modified_time = struct.unpack("<Q", self.file.read(8)) try: info_list["SIN MFT Modified Time"] = convert_time( mft_modified_time[0]).strftime("%Y-%m-%d %H:%M:%S") except OverflowError: continue a_time = struct.unpack("<Q", self.file.read(8)) try: info_list["SIN Last Accessed Time"] = convert_time( a_time[0]).strftime("%Y-%m-%d %H:%M:%S") except OverflowError: continue self.file.read(40) file_name_off = self.file.tell() # $FILE_NAME if struct.unpack("<I", self.file.read(4))[0] == 48: attr_len = struct.unpack("<I", self.file.read(4))[0] self.file.read(1) #resident_flag = struct.unpack("<B", self.file.read(1))[0] name_length = struct.unpack("<B", self.file.read(1))[0] offset_name = struct.unpack("<H", self.file.read(2))[0] self.file.read(12) file_refernce = BitArray( self.file.read(8)).unpack('uintle:48, <H') parent_sequence_value = file_refernce[1] parent_mft_entry_number = file_refernce[0] c_time = struct.unpack("<Q", self.file.read(8)) try: info_list["FIN Creation Time"] = convert_time( c_time[0]).strftime("%Y-%m-%d %H:%M:%S") except OverflowError: info_list["FIN Creation Time"] = 'none' m_time = struct.unpack("<Q", self.file.read(8)) try: info_list["FIN Modified Time"] = convert_time( m_time[0]).strftime("%Y-%m-%d %H:%M:%S") except OverflowError: info_list["FIN Modified Time"] = 'none' mft_modified_time = struct.unpack("<Q", self.file.read(8)) try: info_list["FIN MFT Modified Time"] = convert_time( mft_modified_time[0]).strftime("%Y-%m-%d %H:%M:%S") except OverflowError: info_list["FIN MFT Modified Time"] = 'none' a_time = struct.unpack("<q", self.file.read(8)) try: info_list["FIN Last Accessed Time"] = convert_time( a_time[0]).strftime("%Y-%m-%d %H:%M:%S") except OverflowError: info_list["FIN Last Accessed Time"] = 'none' self.file.read(8) # file allocation size info_list["File Size"] = struct.unpack("<Q", self.file.read(8))[0] # info_list["MFT Entry Num"] = mft_entry_number # info_list["Parent MFT Entry Num"] = parent_mft_entry_number self.file.read(8) name_length = struct.unpack("<B", self.file.read(1))[0] name_type = struct.unpack("<B", self.file.read(1))[0] if name_type == 2: try: self.file.read(name_length * 2).decode('utf-16') self.file.read(attr_len - (self.file.tell() - file_name_off)) self.file.read(88) name_length = struct.unpack("<B", self.file.read(1))[0] self.file.read(1) info_list["Name"] = self.file.read(name_length * 2).decode('utf-16') except UnicodeDecodeError: info_list["Name"] = "Unable To Decode Filename" else: try: info_list["Name"] = self.file.read(name_length * 2).decode('utf-16') except UnicodeDecodeError: info_list["Name"] = "Unable To Decode Filename" path_list = [] while True: parent_result = self.__find_parent(parent_mft_entry_number) parent_mft_entry_number = parent_result[1] parent_name = parent_result[0] if parent_name == 'None' or parent_name == '.': break else: path_list.append(parent_name) path = '' for p in reversed(path_list): path = path + str(p) + '\\' info_list["Parent"] = path else: info_list["FIN Creation Time"] = '' info_list["FIN Modified Time"] = '' info_list["FIN MFT Modified Time"] = '' info_list["FIN Last Accessed Time"] = '' info_list["File Size"] = '' info_list["Name"] = '' info_list["Parent"] = '' result.append(info_list) return result