mft.py 813 Bytes
import os

import logger
import tomb
from modules.module import Module
from runcmd import runProcess


def getInstance():
    return MFTModule()

class MFTModule(Module):

    def __init__(self):
        self.name = "mft"
        self.description = "Extracts NTFS MFT"
        self.requiredVars = ["ntfsvol"]
        self.vars = {}

    def execute(self):
        path = tomb.getPath() + self.name + "/"
        if(not os.path.exists(path)):
            os.mkdir(path)
            logger.msgLog("Extracting MFT from volumes: " + repr(self.vars['ntfsvol'].value), "mft", logger.TYPE_INFO)
        for vol in self.vars['ntfsvol'].value:
            result,code = runProcess(["icat","/dev/" + vol,"0"])
            mftbin = open(path + vol + ".bin",'wb')
            mftbin.write(result)
            mftbin.close()