|
|
1
|
import os
|
|
|
2
|
|
|
|
3
4
5
6
|
import logger
import tomb
from modules.module import Module
from runcmd import runProcess
|
|
|
7
|
import pytsk3
|
root
authored
|
8
|
import time
|
|
|
9
10
|
|
|
|
11
12
|
def getInstance():
return MFTModule()
|
|
|
13
14
15
|
class MFTModule(Module):
|
|
|
16
|
def __init__(self):
|
|
|
17
18
|
self.name = "mft"
self.description = "Extracts NTFS MFT"
|
|
|
19
20
|
self.requiredVars = ["ntfsvol"]
self.vars = {}
|
|
|
21
|
|
|
|
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
|
def dumpMFT(self,ntfsvol,file):
img = pytsk3.Img_Info(url=ntfsvol)
fs = pytsk3.FS_Info(img)
file_entry = fs.open_meta(inode=0)
offset = 0
size = file_entry.info.meta.size
BUFF_SIZE = 1024*1024
mft = open(file,'wb')
while offset < size:
available_to_read = min(BUFF_SIZE, size - offset)
data = file_entry.read_random(offset, available_to_read)
if not data:
break
offset += len(data)
mft.write(data)
mft.close()
img.close()
|
|
|
44
|
def execute(self):
|
|
|
45
|
path = tomb.getPath() + self.name + "/"
|
|
|
46
47
|
if(not os.path.exists(path)):
os.mkdir(path)
|
|
|
48
|
logger.msgLog("Extracting MFT from volumes: " + repr(self.vars['ntfsvol'].value), "mft", logger.TYPE_INFO)
|
|
|
49
|
for vol in self.vars['ntfsvol'].value:
|
root
authored
|
50
|
self.dumpMFT("/dev/" + vol,path + vol + "_" + str(int(time.time())) + ".bin")
|
|
|
51
|
|
