Skip to main content

Analyze the $MFT from a NTFS filesystem.

Project description

AnalyzeMFT

AnalyzeMFT is a Python script designed to translate the NTFS Master File Table (MFT) into a human-readable and searchable format, such as CSV. This tool is useful for digital forensics, file system analysis, and understanding the structure of NTFS volumes.

AnalyzeMFT Derivatives

Rather than clutter up the main project with features people may not want, I will be releasing two sister projects this week:

  1. AnalyzeMFT-SQLite which adds SQL tables as an export option. I found that when working with very large MFT files, it's often easier to get them into a database such as SQLite or PostgreSQL and perform queries/searches using those tools. This also lets us cut down on the total size of the eventual export with large MFT files because we can reuse values and attributes.

  2. CanalyzeMFT - This is a C/C++ port of the project. The goal is to increase the performance on *nix systems (or Windows if you want to build it there). I'm aiming to leave out system dependent libraries (cough Windows.h) so it's easily built everywhere.

Features

  • Parse NTFS MFT files
  • Generate CSV output of MFT records
  • Create timeline in CSV format
  • Produce bodyfile output for timeline analysis
  • Support for local timezone reporting
  • Many output formats - CSV, Body Files, JSON
  • Anomaly detection (optional)
  • Debugging output (optional)

Requirements

  • Python 3.x

Installation

  1. Clone this repository or download the script files.
  2. Ensure you have Python 3.x installed on your system.

Basic usage:

Usage: analyzeMFT.py -f <mft_file> -o <output_file> [options]

Options:
  --version             show program's version number and exit
  -h, --help            show this help message and exit
  -f FILE, --file=FILE  MFT file to analyze
  -o FILE, --output=FILE
                        Output file
  -H, --hash            Compute hashes (MD5, SHA256, SHA512, CRC32)

  Export Options:
    --csv               Export as CSV (default)
    --json              Export as JSON
    --xml               Export as XML
    --excel             Export as Excel
    --body              Export as body file (for mactime)
    --timeline          Export as TSK timeline
    --l2t               Export as log2timeline CSV

  Verbosity Options:
    -v                  Increase output verbosity (can be used multiple times)
    -d                  Increase debug output (can be used multiple times)

Error: No input file specified. Use -f or --file to specify an MFT file.

Output

Starting MFT analysis...
Processing MFT file: D:\ISOs\MFT_Images\MFT
Processed 10000 records...
Processed 20000 records...
Processed 30000 records...

 .......[CUT].........

Processed 310000 records...
MFT processing complete. Total records processed: 314880
Writing output in csv format to X:\extracted.csv
Analysis complete.

MFT Analysis Statistics:
Total records processed: 314880
Active records: 171927
Directories: 99512
Files: 215368
Analysis complete. Results written to X:\extracted.csv

Versioning

Current version: 3.0.6.6

Author

Benjamin Cance (bjc@tdx.li)

License

Copyright Benjamin Cance 2024

Contributing

If you'd like to contribute to this project, please submit a pull request or open an issue on the project's repository.

Disclaimer

This tool is provided as-is, without any warranties. Use at your own risk and ensure you have the necessary permissions before analyzing any file systems or MFT data.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

analyzemft-3.0.6.7.tar.gz (24.9 kB view details)

Uploaded Source

Built Distribution

analyzeMFT-3.0.6.7-py3-none-any.whl (17.4 kB view details)

Uploaded Python 3

File details

Details for the file analyzemft-3.0.6.7.tar.gz.

File metadata

  • Download URL: analyzemft-3.0.6.7.tar.gz
  • Upload date:
  • Size: 24.9 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/5.1.1 CPython/3.12.5

File hashes

Hashes for analyzemft-3.0.6.7.tar.gz
Algorithm Hash digest
SHA256 82fc1cf973bf63ec02674cf119e3e3fbe26b3d3b1801a58a37c929b0df0e87ba
MD5 aebe1758768c8426c20960611b06f7f2
BLAKE2b-256 c09d8984462646fbef956cdb383189a83d30a45c9783157823b8c68379358658

See more details on using hashes here.

File details

Details for the file analyzeMFT-3.0.6.7-py3-none-any.whl.

File metadata

File hashes

Hashes for analyzeMFT-3.0.6.7-py3-none-any.whl
Algorithm Hash digest
SHA256 8439efece6cb028e18621cabe85928e127bf39a5acbb099045b974e304850e74
MD5 38b5be34edd82a1a28c5e326886751b6
BLAKE2b-256 fecb8572e7b8611a969564732e7256478d2a41d57bfc352c9a40441543bbac7b

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page