{"id":13698589,"url":"https://github.com/aarsakian/MFTExtractor","last_synced_at":"2025-05-04T03:31:35.683Z","repository":{"id":12254592,"uuid":"14870571","full_name":"aarsakian/MFTExtractor","owner":"aarsakian","description":"Parser of MFT in go","archived":false,"fork":false,"pushed_at":"2024-10-29T17:05:08.000Z","size":379,"stargazers_count":14,"open_issues_count":0,"forks_count":4,"subscribers_count":4,"default_branch":"master","last_synced_at":"2024-10-29T18:31:32.690Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/aarsakian.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2013-12-02T18:15:07.000Z","updated_at":"2024-10-29T17:05:12.000Z","dependencies_parsed_at":"2024-01-27T08:28:13.216Z","dependency_job_id":"206db99a-ccc5-4c11-91b2-559b46f99a85","html_url":"https://github.com/aarsakian/MFTExtractor","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aarsakian%2FMFTExtractor","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aarsakian%2FMFTExtractor/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aarsakian%2FMFTExtractor/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aarsakian%2FMFTExtractor/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/aarsakian","download_url":"https://codeload.github.com/aarsakian/MFTExtractor/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252283622,"owners_count":21723511,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-02T19:00:50.379Z","updated_at":"2025-05-04T03:31:35.662Z","avatar_url":"https://github.com/aarsakian.png","language":"Go","funding_links":[],"categories":["Challenges","Tools"],"sub_categories":["Windows Artifacts"],"readme":"MFTExtractor\n============\n\n### A Parser of ~~Master File Table~~ NTFS file system.\n\n\n\nUsing this tool you can explore ~~$MFT~~ NTFS and its file system attributes. You can selectively extract filesystem information of record or for a range of records. In addition, you can export the contents of files. \n\nExporting files can be achieved either by mounting the evidence and providing its physical drive order and partition number or by using the acquired forensic image (Expert Witness Format), or virtual machine disk format. \n\n#### Examples #####\nyou can now explore NTFS by providing physical drive number and partition number \ne.g. *-physicaldrive 0 -partition 1* translates to \\\\\\\\.\\\\PHYSICALDRIVE0 D drive respectively,\n\n\nor by using as input an expert witness format image \ne.g. *-evidence path_to_evidence -partition 1*.\n\nUsage information type: MFTExtractor -h\n\n\n -MFT string\n absolute path to the MFT file\n \n -attributes string\n show attributes (write any for all attributes)\n \n -deleted\n show deleted records\n \n -entries string\n select particular MFT entries, use comma as a seperator.\n \n -evidence string\n path to image file (EWF formats are supported)\n \n -extensions string\n search MFT records by extensions use , for each extension\n \n -filenames string\n files to export use comma for each file\n \n -filesize\n show file size of a record holding a file\n \n -fromEntry int\n select entry to start parsing (default -1)\n \n -hash string\n select hash md5 or sha1 for exported files.\n \n -index\n show index structures\n \n -listpartitions\n list partitions\n \n -location string\n the path to export files\n \n -log\n enable logging\n \n -orphans\n show information only for orphan records\n \n -parent\n show information about parent record\n \n -partition int\n select partition number (default -1)\n \n -path string\n base path of files to exported must be absolute e.g. C:\\MYFILES\\ABC translates to MYFILES\\ABC\n \n -physicaldrive int\n select disk drive number for extraction of non resident files (default -1)\n \n -resident\n check whether entry is resident\n \n -runlist\n show runlist of MFT record attributes\n \n -showfilename string\n show the name of the filename attribute of each MFT record choices: Any, Win32, Dos\n \n -showfull\n show full information about record\n \n -showpath\n show the full path of the selected files.\n \n -showtree\n show tree\n \n -showusn\n show information about usnjrnl records\n \n -strategy string\n what strategy will use for files sharing the same file name supported is use Id default is ovewrite. (default \"overwrite\")\n \n -timestamps\n show all timestamps\n \n -toEntry int\n select entry to end parsing (default 4294967295)\n \n -tree\n reconstrut entries tree\n \n -unallocated\n collect unallocated area of a file system\n \n -usnjrnl\n show information about changes to files and folders.\n \n -vcns\n show the vncs of non resident attributes\n \n -vmdk string\n path to vmdk file (Sparse formats are supported)\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faarsakian%2FMFTExtractor","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Faarsakian%2FMFTExtractor","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faarsakian%2FMFTExtractor/lists"}