Merge pull request #90 from rowingdude/testing-2.1.2

Version 3.0 - Now we're in Class!

Author: rowingdude

CHANGES.md

@@ -3,17 +3,18 @@
 
 This document lists the changes and version history for the AnalyzeMFT script and component scripts.
 
-## Version 2.1.2 (2024-08-13)
+## Version 3.0 (2024-08-15)
+
+Work has completed on the class-based layout. The program has been split into individual files each composed of the class within. 
+I believe this is the way to go (personal preference) as I like to work on one module at a time!
 
-Work has officially begun on the next minor revision of this application. The to do list is below. We'll update as things get finished.
 
 ### To do list:
 
-1. Finish the "class based layout"
-2. Improve the readabilityby breaking up some of the large functions like `parse_records`
-3. Implement a testing framework involving the sister project [GenerateMFT](https://github.com/rowingdude/GenerateMFT/).
-4. Implement multithreading as an option
+1. Implement a testing framework involving the sister project [GenerateMFT](https://github.com/rowingdude/GenerateMFT/).
+2. Implement multithreading as an option
 
+<! ----------------- We are going to version up to 3.0 given the complete rewrite ------------------->
 
 ## Version 2.1.1 (2024-08-02)
 

LICENSE.txt

@@ -1,10 +1,10 @@
-MIT License
-https://opensource.org/license/mit
-
-Copyright 2024 Benjamin Cance
-
-Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the “Software”), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+MIT License
+https://opensource.org/license/mit
+
+Copyright 2024 Benjamin Cance
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the “Software”), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

MANIFEST.in

@@ -27,8 +27,7 @@ Basic usage:
 
 ## Versioning
 
-Current version: 2.1
-Beta/Testing Version: 3.0
+Current version: 3.0
 
 ## Author
 

README.md

@@ -1,48 +1,47 @@
-# AnalyzeMFT
-
-AnalyzeMFT is a Python script designed to translate the NTFS Master File Table (MFT) into a human-readable and searchable format, such as CSV. This tool is useful for digital forensics, file system analysis, and understanding the structure of NTFS volumes.
-
-## Features
-
-- Parse NTFS MFT files
-- Generate CSV output of MFT records
-- Create timeline in CSV format
-- Produce bodyfile output for timeline analysis
-- Support for local timezone reporting
-- Anomaly detection (optional)
-- Debugging output (optional)
-
-## Requirements
-
-- Python 3.x
-
-## Installation
-
-1. Clone this repository or download the script files.
-2. Ensure you have Python 3.x installed on your system.
-
-Basic usage:
-
-`python AnalyzeMFT.py -f <mft_file> -o <output_file>`
-
-## Versioning
-
-Current version: 2.1
-Beta/Testing Version: 3.0
-
-## Author
-
-Benjamin Cance ([email protected])
-
-## License
-
-Copyright Benjamin Cance 2024
-
-## Contributing
-
-If you'd like to contribute to this project, please submit a pull request or open an issue on the project's repository.
-
-## Disclaimer
-
-This tool is provided as-is, without any warranties. Use at your own risk and ensure you have the necessary permissions before analyzing any file systems or MFT data.
-
+# AnalyzeMFT
+
+AnalyzeMFT is a Python script designed to translate the NTFS Master File Table (MFT) into a human-readable and searchable format, such as CSV. This tool is useful for digital forensics, file system analysis, and understanding the structure of NTFS volumes.
+
+## Features
+
+- Parse NTFS MFT files
+- Generate CSV output of MFT records
+- Create timeline in CSV format
+- Produce bodyfile output for timeline analysis
+- Support for local timezone reporting
+- Anomaly detection (optional)
+- Debugging output (optional)
+
+## Requirements
+
+- Python 3.x
+
+## Installation
+
+1. Clone this repository or download the script files.
+2. Ensure you have Python 3.x installed on your system.
+
+Basic usage:
+
+`python AnalyzeMFT.py -f <mft_file> -o <output_file>`
+
+## Versioning
+
+Current version: 3.0
+
+## Author
+
+Benjamin Cance ([email protected])
+
+## License
+
+Copyright Benjamin Cance 2024
+
+## Contributing
+
+If you'd like to contribute to this project, please submit a pull request or open an issue on the project's repository.
+
+## Disclaimer
+
+This tool is provided as-is, without any warranties. Use at your own risk and ensure you have the necessary permissions before analyzing any file systems or MFT data.
+

README.txt

@@ -1,32 +1,23 @@
-# Version 2.1.1
-#
-# Author: Benjamin Cance ([email protected])
-#
-# 2-Aug-24 
-# - Updating to current PEP
-
-import logging
-import sys
-from analyzemft.mft_session import MftSession
-from analyzemft.config import Config
-from analyzemft.error_handler import setup_logging, MFTAnalysisError
-
-def main():
-    config = Config()
-    config.parse_args()
-    conf = config.get_config()
-
-    setup_logging(conf['log_level'])
-
-    try:
-        session = MftSession(conf)
-        session.run()
-    except MFTAnalysisError as e:
-        logging.error(f"MFT analysis failed: {str(e)}")
-        sys.exit(1)
-    except Exception as e:
-        logging.exception(f"An unexpected error occurred: {str(e)}")
-        sys.exit(1)
-
-if __name__ == "__main__":
-    main()
+from analyze_mft.common_imports import *
+from analyze_mft.mft_parser import MFTParser
+from analyze_mft.file_handler import FileHandler
+from analyze_mft.csv_writer import CSVWriter
+from analyze_mft.options_parser import OptionsParser
+from analyze_mft.attribute_parser import AttributeParser
+
+def main():
+    options_parser = OptionsParser()
+    options = options_parser.parse_options()
+
+    file_handler = FileHandler(options)
+    file_handler.open_files()
+
+    csv_writer = CSVWriter(options, file_handler)
+
+    mft_parser = MFTParser(options, file_handler, csv_writer)
+    mft_parser.parse_mft_file()
+    mft_parser.generate_filepaths()
+    mft_parser.print_records()
+
+if __name__ == "__main__":
+    main()

analyzeMFT.py

@@ -0,0 +1,13 @@
+from .mft_parser import MFTParser
+from .mft_record import MFTRecord
+from .attribute_parser import AttributeParser
+from .windows_time import WindowsTime
+from .file_handler import FileHandler
+from .csv_writer import CSVWriter
+from .options_parser import OptionsParser
+from .constants import VERSION
+
+__all__ = ['MFTParser', 'MFTRecord', 'AttributeParser', 'WindowsTime', 
+           'FileHandler', 'CSVWriter', 'OptionsParser', 'VERSION']
+
+__version__ = VERSION

analyze_mft/__init__.py

@@ -0,0 +1,72 @@
+from .common_imports import *
+from .windows_time import WindowsTime
+
+class AttributeParser:
+    def __init__(self, raw_data, options):
+        self.raw_data = raw_data
+        self.options = options
+
+    def parse(self):
+        return self.decode_attribute_header()
+
+    def decode_attribute_header(self):
+        d = {}
+        d['type'] = struct.unpack("<I", self.raw_data[:4])[0]
+        if d['type'] == 0xffffffff:
+            return d
+        d['len'] = struct.unpack("<I", self.raw_data[4:8])[0]
+        d['res'] = struct.unpack("B", self.raw_data[8:9])[0]
+        d['name_off'] = struct.unpack("<H", self.raw_data[10:12])[0]
+        d['flags'] = struct.unpack("<H", self.raw_data[12:14])[0]
+        d['id'] = struct.unpack("<H", self.raw_data[14:16])[0]
+        if d['res'] == 0:
+            d['ssize'] = struct.unpack("<L", self.raw_data[16:20])[0]
+            d['soff'] = struct.unpack("<H", self.raw_data[20:22])[0]
+            d['idxflag'] = struct.unpack("<H", self.raw_data[22:24])[0]
+        else:
+            d['start_vcn'] = struct.unpack("<d", self.raw_data[16:24])[0]
+            d['last_vcn'] = struct.unpack("<d", self.raw_data[24:32])[0]
+            d['run_off'] = struct.unpack("<H", self.raw_data[32:34])[0]
+            d['compusize'] = struct.unpack("<H", self.raw_data[34:36])[0]
+            d['f1'] = struct.unpack("<I", self.raw_data[36:40])[0]
+            d['alen'] = struct.unpack("<d", self.raw_data[40:48])[0]
+            d['ssize'] = struct.unpack("<d", self.raw_data[48:56])[0]
+            d['initsize'] = struct.unpack("<d", self.raw_data[56:64])[0]
+        return d
+
+    def parse_standard_information(self):
+        d = {}
+        s = self.raw_data[self.decode_attribute_header()['soff']:]
+        d['crtime'] = WindowsTime(struct.unpack("<L", s[:4])[0], struct.unpack("<L", s[4:8])[0], self.options.localtz)
+        d['mtime'] = WindowsTime(struct.unpack("<L", s[8:12])[0], struct.unpack("<L", s[12:16])[0], self.options.localtz)
+        d['ctime'] = WindowsTime(struct.unpack("<L", s[16:20])[0], struct.unpack("<L", s[20:24])[0], self.options.localtz)
+        d['atime'] = WindowsTime(struct.unpack("<L", s[24:28])[0], struct.unpack("<L", s[28:32])[0], self.options.localtz)
+        d['dos'] = struct.unpack("<I", s[32:36])[0]
+        d['maxver'] = struct.unpack("<I", s[36:40])[0]
+        d['ver'] = struct.unpack("<I", s[40:44])[0]
+        d['class_id'] = struct.unpack("<I", s[44:48])[0]
+        d['own_id'] = struct.unpack("<I", s[48:52])[0]
+        d['sec_id'] = struct.unpack("<I", s[52:56])[0]
+        d['quota'] = struct.unpack("<d", s[56:64])[0]
+        d['usn'] = struct.unpack("<d", s[64:72])[0]
+        return d
+
+    def parse_file_name(self, record):
+        d = {}
+        s = self.raw_data[self.decode_attribute_header()['soff']:]
+        d['par_ref'] = struct.unpack("<Lxx", s[:6])[0]
+        d['par_seq'] = struct.unpack("<H", s[6:8])[0]
+        d['crtime'] = WindowsTime(struct.unpack("<L", s[8:12])[0], struct.unpack("<L", s[12:16])[0], self.options.localtz)
+        d['mtime'] = WindowsTime(struct.unpack("<L", s[16:20])[0], struct.unpack("<L", s[20:24])[0], self.options.localtz)
+        d['ctime'] = WindowsTime(struct.unpack("<L", s[24:28])[0], struct.unpack("<L", s[28:32])[0], self.options.localtz)
+        d['atime'] = WindowsTime(struct.unpack("<L", s[32:36])[0], struct.unpack("<L", s[36:40])[0], self.options.localtz)
+        d['alloc_fsize'] = struct.unpack("<q", s[40:48])[0]
+        d['real_fsize'] = struct.unpack("<q", s[48:56])[0]
+        d['flags'] = struct.unpack("<d", s[56:64])[0]
+        d['nlen'] = struct.unpack("B", s[64:65])[0]  
+        d['nspace'] = struct.unpack("B", s[65:66])[0]
+
+        bytes_left = d['nlen']*2
+        d['name'] = s[66:66+bytes_left].decode('utf-16-le')
+
+        return d

analyze_mft/attribute_parser.py

@@ -0,0 +1,8 @@
+import struct
+import datetime
+import os
+import csv
+import binascii
+import sys
+from datetime import datetime, timezone
+from optparse import OptionParser

analyze_mft/common_imports.py

@@ -0,0 +1 @@
+VERSION = '3.0'