import os import logger import tomb from modules.module import Module from runcmd import runProcess import pytsk3 import datetime def getInstance(): return MFTModule() class MFTModule(Module): def __init__(self): self.name = "mft" self.description = "Extracts NTFS MFT" self.requiredVars = ["ntfsvol"] self.vars = {} def dumpMFT(self,ntfsvol,file): img = pytsk3.Img_Info(url=ntfsvol) fs = pytsk3.FS_Info(img) file_entry = fs.open_meta(inode=0) offset = 0 size = file_entry.info.meta.size BUFF_SIZE = 1024*1024 mft = open(file,'wb') while offset < size: available_to_read = min(BUFF_SIZE, size - offset) data = file_entry.read_random(offset, available_to_read) if not data: break offset += len(data) mft.write(data) mft.close() img.close() def execute(self): path = tomb.getPath() + self.name + "/" if(not os.path.exists(path)): os.mkdir(path) logger.msgLog("Extracting MFT from volumes: " + repr(self.vars['ntfsvol'].value), "mft", logger.TYPE_INFO) for vol in self.vars['ntfsvol'].value: self.dumpMFT("/dev/" + vol,path + vol + "_" + str(datetime.datetime.now()) + ".bin")