|
|
1
|
from module import Module
|
|
|
2
3
|
from runcmd import runProcess
import tomb
|
|
|
4
|
import os
|
|
|
5
|
|
|
|
6
7
|
def getInstance():
return MFTModule()
|
|
|
8
9
10
|
class MFTModule(Module):
|
|
|
11
|
def __init__(self):
|
|
|
12
13
|
self.name = "mft"
self.description = "Extracts NTFS MFT"
|
|
|
14
15
|
self.requiredVars = ["ntfsvol"]
self.vars = {}
|
|
|
16
17
|
def run(self):
|
|
|
18
19
|
path = tomb.getPath() + self.name + "/"
os.mkdir(path)
|
|
|
20
21
|
for vol in self.vars['ntfsvol'].value:
result = runProcess(["icat","/dev/" + vol,"0"])
|
|
|
22
|
mftbin = open(path + vol + ".bin",'wb')
|
|
|
23
24
|
mftbin.write(result[0])
mftbin.close()
|
|
|
25
|
|
