2 analyzeMFT Written by David Kovar, CCE Python tool to parse $MFT Parses the attributes of each file in an NTFS file systemOutput is really grossCSV formatAt least 50 entries for each fileAll textUsed by other applications
3 Output FIelds Record Number Good - if the entry is valid Active - if the entry is activeRecord type - the type of recordRecord Sequence - the sequence number for the recordParent Folder Record NumberParent Folder Sequence NumberFor the standard information attribute:Creation dateModification dateAccess dateEntry date
4 Output Fields, cont. For up to four file name records: File name Creation dateModification dateAccess dateEntry dateObject IDBirth Volume IDBirth Object IDBirth Domain ID
5 Output Fields, cont.And flags to show if each of the following attributes is present:Standard Information, Attribute List, Filename, Object ID, Volume Name, Volume Info, Data, Index Root, Index Allocation, Bitmap, Reparse Point, EA Information, EA, Property Set, Logged Utility StreamNotes/Log - Field used to log any significant events or observations relating to this recordstd-fn-shift - Populated if anomaly detection is turned on. Y/N. Y indicates that the FN create date is later than the STD create date.usec-zero - Populated if anomaly detection is turned on. Y/N. Y indicates that the STD create date's microsecond value is zero.
7 Usage Usage: analyzeMFT.py [options] Options: -h, --help show this help message and exit -f FILE, --file=FILE Read MFT from FILE -o FILE, --output=FILE Write results to FILE -a, --anomaly Turn on anomaly detection -b FILE, --bodyfile=FILE Write MAC information to bodyfile -g, --gui Use GUI for file selection -d, --debug Turn on debugging output
8 Extract the MFT ntfscopy by Jonathan Tomczak analyzeMFT by David Kovar >ntfscopy \$MFT ntfs.mft –image ntfs.001 –offset 0x400000analyzeMFT by David KovarIntegriography.com>python c:\bin\analyzeMFT.py –f ntfs.mft –o mft.txt