2analyzeMFT Written by David Kovar, CCE Python tool to parse $MFT Parses the attributes of each file in an NTFS file systemOutput is really grossCSV formatAt least 50 entries for each fileAll textUsed by other applications
3Output FIelds Record Number Good - if the entry is valid Active - if the entry is activeRecord type - the type of recordRecord Sequence - the sequence number for the recordParent Folder Record NumberParent Folder Sequence NumberFor the standard information attribute:Creation dateModification dateAccess dateEntry date
4Output Fields, cont. For up to four file name records: File name Creation dateModification dateAccess dateEntry dateObject IDBirth Volume IDBirth Object IDBirth Domain ID
5Output Fields, cont.And flags to show if each of the following attributes is present:Standard Information, Attribute List, Filename, Object ID, Volume Name, Volume Info, Data, Index Root, Index Allocation, Bitmap, Reparse Point, EA Information, EA, Property Set, Logged Utility StreamNotes/Log - Field used to log any significant events or observations relating to this recordstd-fn-shift - Populated if anomaly detection is turned on. Y/N. Y indicates that the FN create date is later than the STD create date.usec-zero - Populated if anomaly detection is turned on. Y/N. Y indicates that the STD create date's microsecond value is zero.
7Usage Usage: analyzeMFT.py [options] Options: -h, --help show this help message and exit -f FILE, --file=FILE Read MFT from FILE -o FILE, --output=FILE Write results to FILE -a, --anomaly Turn on anomaly detection -b FILE, --bodyfile=FILE Write MAC information to bodyfile -g, --gui Use GUI for file selection -d, --debug Turn on debugging output
8Extract the MFT ntfscopy by Jonathan Tomczak analyzeMFT by David Kovar >ntfscopy \$MFT ntfs.mft –image ntfs.001 –offset 0x400000analyzeMFT by David KovarIntegriography.com>python c:\bin\analyzeMFT.py –f ntfs.mft –o mft.txt