Year of Python (YOP) – Week Twenty Two Script

01Jun15

Hello Reader!

So my original thought for this week’s script was to start parsing Windows LNK files.  I needed some time with the Prefetch script to put together a Windows 8 image to finish testing it with (I have a VM somewhere just need to find it…which shows you how much I’ve used it).  I got some of the basics started on my script when my friend David Nides tweeted:

And I figured, what the heck, I’ll give it a shot….

Unfortunately I had some other “life events” going on (nothing bad, just a deadline to meet), so it limited the work I’ve done so far to just parsing out the header information.  And even that isn’t 100% complete.  So consider this script the raw data output from the header of a Windows ESE DB, but hey it gets you started!

As part of my regular strategy on parsing these file types, I start by just reading in the header portion of the file.  Then I pass it to the main function that will break everything out.  However from reading through Joachim Metz’s documentation that he did (which as always is excellent and thorough), I decided to break out some other pieces of the puzzle in to other functions.

The first one is the Backup Information (JET_BKINFO), which I will admit is not complete yet:

def edb_backup_parse(bkup_data):
    bkup_pos = struct.unpack("<Q", bkup_data[0:8])
    bkup_create_datetime = struct.unpack("<Q", bkup_data[8:16])
    bkup_gen_lwr_no = struct.unpack("<L", bkup_data[16:20])
    bkup_gen_upr_no = struct.unpack("<L", bkup_data[20:24])
    return bkup_pos[0], bkup_create_datetime[0], bkup_gen_lwr_no[0], bkup_gen_upr_no[0]

This is phase one of this function, I need to break down the data further (for example parse out the date/time data that’s there), but it’s enough to tell that there’s data there at least.

Next up is my Log Time (JET_LOGTIME and JET_BKLOGTIME) function:

def log_time(time_data):
    log_sec = struct.unpack("<B", time_data[0])
    log_min = struct.unpack("<B", time_data[1])
    log_hour = struct.unpack("<B", time_data[2])
    log_day = struct.unpack("<B", time_data[3])
    log_mon = struct.unpack("<B", time_data[4])
    log_year = struct.unpack("<B", time_data[5])
    return log_sec[0], log_min[0], log_hour[0], log_day[0], log_mon[0], (log_year[0] + 1900)

This just takes care of the time stamps for the log time data structures.

Finally is the last function, Database Time

def db_time(time_data):
    db_hours = struct.unpack("<H", time_data[0:2])
    db_min = struct.unpack("<H", time_data[2:4])
    db_sec = struct.unpack("<H", time_data[4:6])
    return db_hours[0], db_min[0], db_sec[0]

This one is definitely not complete, or at least my test data has the format wrong.  But the placeholder is here for me to get it working.

I plan on moving forward on this, and I’ve added to the list of things to get parsed out as this year goes on.  So keep an eye out for updates to this script before the year is out!

Until next week!

https://github.com/CdtDelta/YOP

Advertisements


No Responses Yet to “Year of Python (YOP) – Week Twenty Two Script”

  1. Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: