{"id":13773881,"url":"https://github.com/kero99/mftmactime","last_synced_at":"2025-05-11T06:31:39.135Z","repository":{"id":52339930,"uuid":"520922161","full_name":"kero99/mftmactime","owner":"kero99","description":"MFT and USN parser that allows direct extraction in filesystem timeline format (mactime), dump all resident files in the MFT in their original folder structure and run yara rules over them all.","archived":false,"fork":false,"pushed_at":"2023-05-10T17:45:48.000Z","size":33,"stargazers_count":9,"open_issues_count":0,"forks_count":2,"subscribers_count":2,"default_branch":"main","last_synced_at":"2024-02-14T20:39:32.145Z","etag":null,"topics":["forensics-tools","mft","ntfs","ntfs-ads","ntfs-journal","python"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/kero99.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2022-08-03T14:49:39.000Z","updated_at":"2023-12-15T12:47:20.000Z","dependencies_parsed_at":"2024-01-13T11:20:35.158Z","dependency_job_id":null,"html_url":"https://github.com/kero99/mftmactime","commit_stats":null,"previous_names":[],"tags_count":15,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kero99%2Fmftmactime","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kero99%2Fmftmactime/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kero99%2Fmftmactime/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kero99%2Fmftmactime/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/kero99","download_url":"https://codeload.github.com/kero99/mftmactime/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253528362,"owners_count":21922623,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["forensics-tools","mft","ntfs","ntfs-ads","ntfs-journal","python"],"created_at":"2024-08-03T17:01:21.273Z","updated_at":"2025-05-11T06:31:38.848Z","avatar_url":"https://github.com/kero99.png","language":"Python","funding_links":[],"categories":["Tools"],"sub_categories":["Windows Artifacts"],"readme":"# Description\nThis is an MFT and USN parser that allows direct extraction in filesystem timeline format (mactime), dump all resident files in the MFT in their original folder structure and run yara rules over them all.\n\nIt uses Omer BenAmram's (https://github.com/omerbenamram/mft) great MFT rust parsing libraries, which allows a great speed and efficiency in the process.\nThe integration with the USN Journal parser allows to have in the same timeline the combined MFT and USN data. \n\nYou can use as input files either individual files derived from a triage or a forensic image in RAW format or a mixture of both modes. In case the input is RAW the artifacts will be dumped in a selected directory.\n\n# Requirement\npip install mft argparse tqdm pytz pytsk3 yara-python\n\n# Use\nusage: mftmactime [-h] [-V] -f FILE -o OUTPUT [-m DRIVE] [-n] [-tz TIMEZONE] [-r RESIDENT] [-u USN] [-s OFFSET] [-d DUMP_PATH] [-y YARA_RULES] [-yc YARA_COMPILED]\n                        \n# Example\nmftmactime.py -f /mnt/comp001/\\\\$MFT -o comp001_fstl.csv -n\n\n![image](https://user-images.githubusercontent.com/143736/183637088-0089c8c4-ef23-46e1-bbd5-8321422108cb.png)\n\n# Example with dump resident files\nmftmactime -f MFT -o test.csv -n -r recovery_output\n\n![Screenshot at 2022-09-07 11-29-48](https://user-images.githubusercontent.com/143736/188844076-9eefc9b7-9801-4c23-a0df-0ef794b92dc1.png)\n\n# Example of inode entries with USN Journal and MFT mixed data\n\n![image](https://user-images.githubusercontent.com/143736/191730418-ba1f5a8d-2ff0-4e88-aa30-236c5169e580.png)\n\n# Example of dump and process from RAW Evidence\nmftmactime -n -f ../evidence/Testing/test-img.dd -u ../evidence/Testing/test-img.dd -o ./filesystem_tln.csv -d dump -r resindents\n\n![image](https://user-images.githubusercontent.com/143736/191998130-097e69ea-80dc-4684-80ba-d4dfbe861452.png)\n\n# Example of run yara rules over resident files\n\n![mftmactime-yara](https://user-images.githubusercontent.com/143736/218285321-effe1042-9695-4e88-abe9-de9d30fbaa7f.png)\n\n\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkero99%2Fmftmactime","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkero99%2Fmftmactime","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkero99%2Fmftmactime/lists"}