diff --git a/README.md b/README.md index bd103b9..63af265 100644 --- a/README.md +++ b/README.md @@ -3,7 +3,7 @@ REQUIRED PACKAGES * python3 * python3-dialog -* sleuthkit -* pev +* pytsk3 +* python-pefile * ntfs-3g * lshw \ No newline at end of file diff --git a/modules/mft.py b/modules/mft.py index b2dde7c..89f6985 100644 --- a/modules/mft.py +++ b/modules/mft.py @@ -4,6 +4,7 @@ import logger import tomb from modules.module import Module from runcmd import runProcess +import pytsk3 def getInstance(): @@ -17,14 +18,33 @@ class MFTModule(Module): self.requiredVars = ["ntfsvol"] self.vars = {} + def dumpMFT(self,ntfsvol,file): + img = pytsk3.Img_Info(url=ntfsvol) + fs = pytsk3.FS_Info(img) + file_entry = fs.open_meta(inode=0) + offset = 0 + size = file_entry.info.meta.size + BUFF_SIZE = 1024*1024 + mft = open(file,'wb') + + while offset < size: + available_to_read = min(BUFF_SIZE, size - offset) + data = file_entry.read_random(offset, available_to_read) + if not data: + break + + offset += len(data) + mft.write(data) + + mft.close() + img.close() + + def execute(self): path = tomb.getPath() + self.name + "/" if(not os.path.exists(path)): os.mkdir(path) logger.msgLog("Extracting MFT from volumes: " + repr(self.vars['ntfsvol'].value), "mft", logger.TYPE_INFO) for vol in self.vars['ntfsvol'].value: - result,code = runProcess(["icat","/dev/" + vol,"0"]) - mftbin = open(path + vol + ".bin",'wb') - mftbin.write(result) - mftbin.close() + self.dumpMFT("/dev/" + vol,path + vol + ".bin") diff --git a/winver.py b/winver.py index 11cdf30..8346f8f 100644 --- a/winver.py +++ b/winver.py @@ -1,6 +1,7 @@ import os from runcmd import runProcess import re +import pefile _WIN_9x = 0 _WIN_ME = 1 @@ -22,26 +23,32 @@ _WIN_10 = 10 def getWindowsVersion(path): if(os.path.isfile(getWindowsDirectory(path) + "/System32/ntdll.dll")): - output,code = runProcess(["pev","-p",getWindowsDirectory(path) + "/System32/ntdll.dll"]) - version = output.decode("utf-8") - if re.match("(3|4)\.",version) != None: - return _WIN_NT - elif re.match("5\.0",version) != None: - return _WIN_2k - elif re.match("5\.1", version) != None: - return _WIN_XP - elif re.match("5\.2", version) != None: - return _WIN_2k3 - elif re.match("6\.0", version) != None: - return _WIN_VISTA - elif re.match("6\.1", version) != None: - return _WIN_7 - elif re.match("6\.2", version) != None: - return _WIN_8 - elif re.match("6\.3", version) != None: - return _WIN_81 - elif re.match("10\.", version) != None: - return _WIN_10 + version = "" + pe = pefile.PE(getWindowsDirectory(path) + "/System32/ntdll.dll") + for entry in pe.FileInfo: + if hasattr(entry, 'StringTable'): + for st in entry.StringTable: + for k, v in st.entries.items(): + if k == "ProductVersion": + version = v + if re.match("(3|4)\.",version) != None: + return _WIN_NT + elif re.match("5\.0", version) != None: + return _WIN_2k + elif re.match("5\.1", version) != None: + return _WIN_XP + elif re.match("5\.2", version) != None: + return _WIN_2k3 + elif re.match("6\.0", version) != None: + return _WIN_VISTA + elif re.match("6\.1", version) != None: + return _WIN_7 + elif re.match("6\.2", version) != None: + return _WIN_8 + elif re.match("6\.3", version) != None: + return _WIN_81 + elif re.match("10\.", version) != None: + return _WIN_10 else: if(os.path.isfile(getWindowsDirectory(path) + "/CLASSES.DAT")): return _WIN_ME