forked from williballenthin/INDXParse
-
Notifications
You must be signed in to change notification settings - Fork 0
/
tree_mft.py
69 lines (50 loc) · 1.85 KB
/
tree_mft.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
#! /usr/bin/env python
from MFT import MFTEnumerator
import mmap
import logging
import calendar
from datetime import datetime
import argparse
from MFT import Cache
from MFT import MFTTree
class Mmap(object):
"""
Convenience class for opening a read-only memory map for a file path.
"""
def __init__(self, filename):
super(Mmap, self).__init__()
self._filename = filename
self._f = None
self._mmap = None
def __enter__(self):
self._f = open(self._filename, "rb")
self._mmap = mmap.mmap(self._f.fileno(), 0, access=mmap.ACCESS_READ)
return self._mmap
def __exit__(self, type, value, traceback):
self._mmap.close()
self._f.close()
def main():
parser = argparse.ArgumentParser(description='Parse MFT '
'filesystem structures.')
parser.add_argument('-c', action="store", metavar="cache_size", type=int,
dest="cache_size", default=1024,
help="Size of cache.")
parser.add_argument('-v', action="store_true", dest="verbose",
help="Print debugging information")
parser.add_argument('filename', action="store",
help="Input MFT file path")
results = parser.parse_args()
if results.verbose:
logging.basicConfig(level=logging.DEBUG)
with Mmap(results.filename) as buf:
record_cache = Cache(results.cache_size)
path_cache = Cache(results.cache_size)
tree = MFTTree(buf)
tree.build(record_cache=record_cache, path_cache=path_cache)
def rec(node, prefix):
print prefix + node.get_filename()
for child in node.get_children():
rec(child, prefix + " ")
rec(tree.get_root(), "")
if __name__ == "__main__":
main()