def extract_usnjrnl(filesystem, path): with NamedTemporaryFile(buffering=0) as tempfile: root = filesystem.inspect_get_roots()[0] inode = filesystem.stat(path)['ino'] filesystem.download_inode(root, inode, tempfile.name) return [e._asdict() for e in usn_journal(tempfile.name)]
def _read_journal(self): """Extracts the USN journal from the disk and parses its content.""" root = self._filesystem.inspect_get_roots()[0] inode = self._filesystem.stat('C:\\$Extend\\$UsnJrnl')['ino'] with NamedTemporaryFile(buffering=0) as tempfile: self._filesystem.download_inode(root, inode, tempfile.name) journal = usn_journal(tempfile.name) return parse_journal(journal)
def parse_usnjrnl(usnjrnl, disk=None): if disk is not None: with FileSystem(disk) as filesystem: return extract_usnjrnl(filesystem, usnjrnl) else: return [e._asdict() for e in usn_journal(usnjrnl)]