https://github.com/aarsakian/MFTExtractor

Parser of MFT in go
https://github.com/aarsakian/MFTExtractor

Last synced: about 2 months ago
JSON representation

Parser of MFT in go

• Host: GitHub
• URL: https://github.com/aarsakian/MFTExtractor
• Owner: aarsakian
• Created: 2013-12-02T18:15:07.000Z (almost 11 years ago)
• Default Branch: master
• Last Pushed: 2024-05-07T09:13:20.000Z (5 months ago)
• Last Synced: 2024-05-07T10:31:22.941Z (5 months ago)
• Language: Go
• Size: 307 KB
• Stars: 11
• Watchers: 4
• Forks: 4
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

• ForensicsTools - MFTExtractor - MFT-Parser (Challenges / Windows Artifacts)
• awesome-forensics - MFTExtractor - MFT-Parser (Tools / Windows Artifacts)
• Awesome-Forensics - MFTExtractor - MFT-Parser (Tools / Windows Artifacts)

README

        
MFTExtractor

============

### A Parser  of ~~Master File Table~~  NTFS file system.

Using this tool you can explore ~~$MFT~~ NTFS and its file system attributes. You can selectively extract filesystem information of record  or for a range of records. In addition, you can export the contents of files. 

Exporting files can be achieved either by mounting the evidence and providing its physical drive order and partition number or by using the acquired forensic image (Expert Witness Format), or virtual machine disk format. 

#### Examples #####

you can now explore NTFS by providing physical drive number and partition number 

e.g. *-physicaldrive 0 -partition 1* translates to \\\\.\\PHYSICALDRIVE0 D drive respectively,

or by using as input an expert witness format image 

e.g. *-evidence path_to_evidence -partition 1*.

Usage information  type: MFTExtractor  -h

 -MFT string

        absolute path to the MFT file (default "Disk MFT")

  -attributes string

        show attributes (write any for all attributes)

  -entries string

        select particular MFT entries, use comma as a seperator.

  -evidence string

        path to image file (EWF formats are supported)

  -extension string

        search MFT records by extension

  -filenames string

        files to export use comma for each file

  -filesize

        show file size of a record holding a file

  -fromEntry int

        select entry to start parsing (default -1)

  -hash string

        select hash md5 or sha1 for exported files.

  -index

        show index structures

  -listpartitions

        list partitions

  -location string

        the path to export  files

  -log

        enable logging

  -parent

        show information about parent record

  -partition int

        select partition number (default -1)

  -paths string

        base path of files must be exact e.g. C:\MYFILES\ABC translates to MYFILES\ABC

 

  -physicaldrive int

        select disk drive number for extraction of non resident files (default -1)

 

  -resident

        check whether entry is resident

 

  -runlist

        show runlist of MFT record attributes

 

  -showfilename string

        show the name of the filename attribute of each MFT record choices: Any, Win32, Dos

 

  -showpath

        show the full path of the selected files.

 

  -structure

        reconstrut entries tree

 

  -timestamps

        show all timestamps

 

  -toEntry int

        select entry to end parsing (default 4294967295)

 

  -unallocated

        collect unallocated area of a file system

 

  -vcns

        show the vncs of non resident attributes

 

  -vmdk string

        path to vmdk file (Sparse formats are supported)