-
Notifications
You must be signed in to change notification settings - Fork 1
/
ExtractNTUSER.py
41 lines (39 loc) · 1.53 KB
/
ExtractNTUSER.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
import pytsk3
import sys
import json
import struct
import binascii
import datetime
import csv
img = pytsk3.Img_Info('\\\\.\\C:')
fs = pytsk3.FS_Info(img)
fileobject = fs.open("/Users/Dave/NTUSER.DAT")
print("File Inode:",fileobject.info.meta.addr)
print("File Name:",fileobject.info.name.name)
print("File Creation Time:",datetime.datetime.fromtimestamp(fileobject.info.meta.crtime).strftime('%Y-%m-%d %H:%M:%S'))
outFileName = fileobject.info.name.name
print(outFileName)
outfile = open(outFileName, 'wb')
filedata = fileobject.read_random(0,fileobject.info.meta.size)
outfile.write(filedata)
outfile.close
fileobject = fs.open("/Users/Dave/NTUSER.DAT.Log1")
print("File Inode:",fileobject.info.meta.addr)
print("File Name:",fileobject.info.name.name)
print("File Creation Time:",datetime.datetime.fromtimestamp(fileobject.info.meta.crtime).strftime('%Y-%m-%d %H:%M:%S'))
outFileName = fileobject.info.name.name
print(outFileName)
outfile = open(outFileName, 'wb')
filedata = fileobject.read_random(0,fileobject.info.meta.size)
outfile.write(filedata)
outfile.close
fileobject = fs.open("/Users/Dave/NTUSER.DAT.Log2")
print("File Inode:",fileobject.info.meta.addr)
print("File Name:",fileobject.info.name.name)
print("File Creation Time:",datetime.datetime.fromtimestamp(fileobject.info.meta.crtime).strftime('%Y-%m-%d %H:%M:%S'))
outFileName = fileobject.info.name.name
print(outFileName)
outfile = open(outFileName, 'wb')
filedata = fileobject.read_random(0,fileobject.info.meta.size)
outfile.write(filedata)
outfile.close