src/main.rs


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92

#[macro_use] extern crate log;
extern crate rustymft;
extern crate rwinstructs;
extern crate serde_json;
extern crate serde;
extern crate clap;
use clap::{App, Arg};
use rustymft::mft::{MftHandler};
use rwinstructs::reference;
use rwinstructs::serialize;
use serde::Serializer;
use serde::ser::SerializeSeq;
use std::fs;
use std::io;

fn process_directory<S>(directory: &str, serializer: S) where S: serde::Serializer {
    let mut seq = serializer.serialize_seq(None).unwrap();
    for entry in fs::read_dir(directory).unwrap() {
        let entry = entry.unwrap();
        let path = entry.path();
        if path.is_file() {
            let path_string = path.into_os_string().into_string().unwrap();
            if path_string.ends_with("mft"){
                process_file(&path_string,&mut seq);
            }
        }
    }
    seq.end().unwrap();
}

fn process_file<S: serde::ser::SerializeSeq>(filename: &str, serializer: &mut S) -> bool {
    // Check if file is a prefetch file
    let mut mft_handler = match MftHandler::new(filename) {
        Ok(mft_handler) => mft_handler,
        Err(error) => {
            warn!("Could not parse file: {} [error: {}]", filename, error);
            return false;
        }
    };

    for i in 0 .. mft_handler.get_entry_count() {
        let mft_entry = match mft_handler.entry(i) {
            Ok(mft_entry) => mft_entry,
            Err(error) => {
                warn!("Could not parse file: {} [error: {}]", filename, error);
                continue;
            }
        };
        serializer.serialize_element(&mft_entry).unwrap();
    }

    return true;
}

fn is_directory(source: &str)->bool{
    fs::metadata(source).unwrap().file_type().is_dir()
}

fn main() {
    let source_arg = Arg::with_name("source")
        .short("s")
        .long("source")
        .value_name("FILE")
        .help("The source path. Can be a file or a directory.")
        .required(true)
        .takes_value(true);

    let options = App::new("RustyMft")
        .version("0.0.0")
        .author("Matthew Seyer <https://github.com/forensicmatt/RustyMft>")
        .about("Parse $MFT.")
        .arg(source_arg)
        .get_matches();

    // Set Reference Display Options
    unsafe{reference::NESTED_REFERENCE = true;}
    unsafe{serialize::U64_SERIALIZATION = serialize::U64Serialization::AsString;}

    let source = options.value_of("source").unwrap();

    let mut serializer = serde_json::Serializer::pretty(
        io::stdout()
    );

    if is_directory(source) {
        panic!("Directory source is not implemented yet.");
    } else {
        let mut seq = serializer.serialize_seq(None).unwrap();
        process_file(source,&mut seq);
        seq.end().unwrap();
    }
}