|
|
1
|
from module import Module
|
|
|
2
3
|
from runcmd import runProcess
import tomb
|
|
|
4
|
import os
|
|
|
5
|
|
|
|
6
7
|
def getInstance():
return MFTModule()
|
|
|
8
9
10
|
class MFTModule(Module):
|
|
|
11
|
def __init__(self):
|
|
|
12
13
|
self.name = "mft"
self.description = "Extracts NTFS MFT"
|
|
|
14
15
|
self.requiredVars = ["ntfsvol"]
self.vars = {}
|
|
|
16
17
|
def run(self):
|
|
|
18
|
os.mkdir(tomb.getPath() + "mft/")
|
|
|
19
20
21
22
23
|
for vol in self.vars['ntfsvol'].value:
result = runProcess(["icat","/dev/" + vol,"0"])
mftbin = open(tomb.getPath() + "mft/" + vol + ".bin",'wb')
mftbin.write(result[0])
mftbin.close()
|
|
|
24
|
|
