-
-
Save cephurs/222221c4679c8c011f2d to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
""" USN file parse script for IceBuddha.com, based on http://shark5terforensics.blogspot.com/2015/03/manually-parsing-unallocated-usn.html | |
""" | |
import icebuddha | |
__author__ = "0xdabbad00" | |
__license__ = "Apache" | |
class Parse: | |
def run(self, data): | |
filedata = data | |
ib = icebuddha.IceBuddha(filedata, "File Data") | |
startStruct = ib.parse(0, "USN", """ | |
DWORD RecordLength; | |
WORD MajorVersion; | |
WORD MinorVersion; | |
ULONGLONG FileReferenceNumber; /* MFT Entry */ | |
ULONGLONG ParentFileReferenceNumber; | |
ULONGLONG USN; /* Update Sequence Number */ | |
ULONGLONG TimeStamp; | |
DWORD Reason; | |
DWORD SourceInfo; | |
DWORD SecurityID; | |
DWORD FileAttributes; | |
WORD FileNameLength; | |
WORD FileNameOffset; | |
""") | |
# Get file name | |
filenameOffset = startStruct.getInt("FileNameOffset") | |
filenameLength = startStruct.getInt("FileNameLength") | |
fn = ib.parse(filenameOffset, "FileName", """BYTE FileName[%d];""" % filenameLength) | |
startStruct.append( fn.findChild("FileName")) | |
ib.append(startStruct); | |
return ib.getParseTree() | |
parser = Parse() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment