Skip to content

Instantly share code, notes, and snippets.

@0xdabbad00

0xdabbad00/IceBuddha_USN_parser

Created May 11, 2015 22:18
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save 0xdabbad00/c2afa076875b3b3d9fba to your computer and use it in GitHub Desktop.
Save 0xdabbad00/c2afa076875b3b3d9fba to your computer and use it in GitHub Desktop.
Download ZIP
USN Parser for IceBuddha
Raw
IceBuddha_USN_parser
""" USN file parse script for IceBuddha.com, based on http://shark5terforensics.blogspot.com/2015/03/manually-parsing-unallocated-usn.html
"""
import icebuddha
__author__ = "0xdabbad00"
__license__ = "Apache"
class Parse:
def run(self, data):
filedata = data
ib = icebuddha.IceBuddha(filedata, "File Data")
startStruct = ib.parse(0, "USN", """
DWORD RecordLength;
WORD MajorVersion;
WORD MinorVersion;
ULONGLONG FileReferenceNumber; /* MFT Entry */
ULONGLONG ParentFileReferenceNumber;
ULONGLONG USN; /* Update Sequence Number */
ULONGLONG TimeStamp;
DWORD Reason;
DWORD SourceInfo;
DWORD SecurityID;
DWORD FileAttributes;
WORD FileNameLength;
WORD FileNameOffset;
""")
# Get file name
filenameOffset = startStruct.getInt("FileNameOffset")
filenameLength = startStruct.getInt("FileNameLength")
fn = ib.parse(filenameOffset, "FileName", """BYTE FileName[%d];""" % filenameLength)
startStruct.append( fn.findChild("FileName"))
ib.append(startStruct);
return ib.getParseTree()
parser = Parse()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment