|
|
1
|
import os
|
|
|
2
|
|
|
|
3
4
5
6
7
8
|
import logger
import tomb
from modules.module import Module
from runcmd import runProcess
|
|
|
9
10
|
def getInstance():
return MFTModule()
|
|
|
11
12
13
|
class MFTModule(Module):
|
|
|
14
|
def __init__(self):
|
|
|
15
16
|
self.name = "mft"
self.description = "Extracts NTFS MFT"
|
|
|
17
18
|
self.requiredVars = ["ntfsvol"]
self.vars = {}
|
|
|
19
20
|
def run(self):
|
|
|
21
|
path = tomb.getPath() + self.name + "/"
|
|
|
22
23
|
if(not os.path.exists(path)):
os.mkdir(path)
|
|
|
24
|
logger.msgLog("Extracting MFT from volumes: " + repr(self.vars['ntfsvol'].value), "mft", logger.TYPE_INFO)
|
|
|
25
|
for vol in self.vars['ntfsvol'].value:
|
|
|
26
|
result,code = runProcess(["icat","/dev/" + vol,"0"])
|
|
|
27
|
mftbin = open(path + vol + ".bin",'wb')
|
|
|
28
|
mftbin.write(result)
|
|
|
29
|
mftbin.close()
|
|
|
30
|
|
