{ "info": { "author": "David Kovar", "author_email": "dkovar@gmail.com", "bugtrack_url": null, "classifiers": [], "description": "===========\nAnalyze MFT\n===========\n\nanalyzeMFT.py is designed to fully parse the MFT file from an NTFS filesystem\nand present the results as accurately as possible in multiple formats.\n\nInstallation\n===========\nYou should now be able to install analyzeMFT with pip:\n\n pip install analyzeMFT\n \nAlternatively:\n\n git pull https://github.com/dkovar/analyzeMFT.git\n python setup.py install (or, just run it from that directory)\n\nUsage\n===========\nUsage: analyzeMFT.py [options]\n\nOptions:\n -h, --help show this help message and exit\n -v, --version report version and exit\n \nFile input options:\n\n -f FILE, --file=FILE read MFT from FILE\n\nFile output options:\n\n -o FILE, --output=FILE\n write results to FILE\n -c FILE, --csvtimefile=FILE\n write CSV format timeline file\n -b FILE, --bodyfile=FILE\n write MAC information to bodyfile\n\nOptions specific to body files:\n\n --bodystd Use STD_INFO timestamps for body file rather than FN\n timestamps\n --bodyfull Use full path name + filename rather than just\n filename\n\nOther options:\n\n -a, --anomaly turn on anomaly detection\n -l, --localtz report times using local timezone\n -e, --excel print date/time in Excel friendly format\n -d, --debug turn on debugging output\n -s, --saveinmemory Save a copy of the decoded MFT in memory. Do not use\n for very large MFTs\n -p, --progress Show systematic progress reports.\n -w, --windows-path Use windows path separator when constructing the filepath instead of linux\n\nOutput\n=========\n\nanalyzeMFT can produce output in CSV or bodyfile format.\n\nCSV output\n---------\nThe output is currently written in CSV format. Due to the fact that Excel\nautomatically determines the type of data in a column, it is recommended that\nyou write the output to a file without the .csv extension, open it in Excel, and\nset all the columns to \"Text\" rather than \"General\" when the import wizard\nstarts. Failure to do so will result in Excel formatting the columns in a way\nthat misrepresents the data.\n\nI could pad the data in such a way that forces Excel to set the column type correctly\nbut this might break other tools.\n\nGUI:\nYou can turn off all the GUI dependencies by setting the noGUI flag to 'True'. This is for installations that don't want to install the tk/tcl libraries.\n\nUpdate History\n=============\n[See CHANGES.txt]\n\nVersion 2.0.4:Minor tweaks to support external programs\nVersion 2.0.3:Restructured to support PyPi (pip)\nVersion 2.0.2:De-OOP'd MFT record parsing to reduce memory consumption\nVersion 2.0.1:Added L2T CSV and body file support back in, fixed some minor bugs along the way\n Made full file path calculation more efficient\nVersion 2.0.0 Restructured layout to turn it into a module.\n Made it more OOP.\n Improved error handling and corrupt record detection\n \n------ Version 1 history follows ------\n\nVersion 1.0: Initial release\nVersion 1.1: Split parent folder reference and sequence into two fields. I'm still trying to figure out the\n significance of the parent folder sequence number, but I'm convinced that what some documentation\n refers to as the parent folder record number is really two values - the parent folder record number\n and the parent folder sequence number.\nVersion 1.2: Fixed problem with non-printable characters in filenames. Any Unicode character is legal in a\n filename, including newlines. This presented some problems in my output. Characters that do not\n render well are now converted to hex and a note is added to the Notes column indicating this.\n (I've learned a lot about Unicode since I first wrote this.)\n Added \"compile time\" flag to turn off the inclusion of any GUI related modules and libraries\n for systems missing tk/tcl support. (Set noGUI to True in the code)\nVersion 1.3: Added new column to hold log entries relating to each record. For example, a note stating that\n some characters in the filename were converted to hex as they could not be printed.\nVersion 1.4: Credit: Spencer Lynch. I was misusing the flags field in the MFT header. The first bit is\n Active/Inactive. The second bit is File/Folder.\nVersion 1.5: Fixed date/time reporting. I wasn't reporting useconds at all.\n Added anomaly detection. Adds two columns:\n std-fn-shift: If Y, entry's FN create time is after the STD create time\n usec-zero: If Y, entry's STD create time's usec value is zero\nVersion 1.6: Various bug fixes\nVersion 1.7: Bodyfile support, with thanks to Dave Hull\nVersion 1.8: Added support for full path extraction, written by Kristinn Gudjonsson\nVersion 1.9: Added support for csv timeline output\nVersion 1.10: Just for Tom\nVersion 1.11: Fixed TSK bodyfile output\nVersion 1.12: Fix orphan file detection issue that caused recursion error (4/18/2013)\nVersion 1.13: Changed from walking all sequence numbers to pulling sequence number from MFT. Previous approach did not handle\n gaps well\nVersion 1.14: Made -o output optional if -b is specified. (Either/or)\nVersion 1.15: Added file size (real, not allocated) to bodyfile.\n Added bodyfile option to include fullpath + filename rather than just filename\n Added bodyfile option to use STD_INFO timestamps rather than FN timestamps\n\n\nVersion 2 history is in CHANGES.txt\n\n\n\n\n\n\nInspiration\n===========\nMy original inspiration was a combination of MFT Ripper (thus the current output format) and the\nSANS 508.1 study guide. I couldn't bear to read about NTFS structures again,\nparticularly since the information didn't \"stick\". I also wanted to learn Python\nso I figured that using it to tear apart the MFT file was a reasonably sized\nproject.\n\nMany of the variable names are taken directly from Brian Carrier's The Sleuth Kit. His code, plus his\nbook \"File System Forensic Analysis\", was very helpful in my efforts to write this code.\n\nThe output format is almost identical to Mark Menz's MFT Ripper. His tool really inspired me to learn\nmore about the structure of the MFT and to learn what additional information I could glean from\nthe data.\n\nI also am getting much more interested in timeline analysis and figured that really understanding the\nthe MFT and having a tool that could parse it might serve as a good foundation\nfor further research in that area.\n\n\nFuture work\n===========\n\n1) Figure out how to write the CSV file in a manner that forces Excel to interpret the date/time\nfields as text. If you add the .csv extension Excel will open the file without invoking the import\nwizard and the date fields are treated as \"General\" and the date is chopped leaving just the time.\n2) Add version switch\n3) Add \"mftr\" switch - produce MFT Ripper compatible output\n4) Add \"extract\" switch - extract or work on live MFT file\n5) Finish parsing all possible attributes\n6) Look into doing more timeline analysis with the information\n7) Improve the documentation so I can use the structures as a reference and reuse the code more effectively\n8) Clean up the code and, in particular, follow standard naming conventions\n9) There are two MFT entry flags that appear that I can't determine the significance of. These appear in\n the output as Unknown1 and Unknown2\n10) Parse filename based on 'nspace' value in FN structure\n11) Test it and ensure that it works on all major Windows OS versions\n12) Output HTML as well as CSV\n13) If you specify a bad input filename and a good output filename, you get an\nerror about the output filename.\n\n\nUseful Documentation\n====================\n\n1) http://dubeyko.com/development/FileSystems/NTFS/ntfsdoc.pdf", "description_content_type": null, "docs_url": null, "download_url": "UNKNOWN", "downloads": { "last_day": -1, "last_month": -1, "last_week": -1 }, "home_page": "http://github.com/dkovar/analyzeMFT", "keywords": null, "license": "LICENSE.txt", "maintainer": null, "maintainer_email": null, "name": "analyzeMFT", "package_url": "https://pypi.org/project/analyzeMFT/", "platform": "UNKNOWN", "project_url": "https://pypi.org/project/analyzeMFT/", "project_urls": { "Download": "UNKNOWN", "Homepage": "http://github.com/dkovar/analyzeMFT" }, "release_url": "https://pypi.org/project/analyzeMFT/2.0.19/", "requires_dist": null, "requires_python": null, "summary": "Analyze the $MFT from a NTFS filesystem.", "version": "2.0.19" }, "last_serial": 2137580, "releases": { "2.0.0": [ { "comment_text": "", "digests": { "md5": "e3a20ffa97ddfe6a906e6eaa3650412a", "sha256": "d6f4eb2f241c4bece2c184bb78a4ae5c4ed60dee4085e8e0e8a1c8691b5c78f0" }, "downloads": -1, "filename": "analyzeMFT-2.0.0.tar.gz", "has_sig": false, "md5_digest": "e3a20ffa97ddfe6a906e6eaa3650412a", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 22946, "upload_time": "2013-06-22T19:57:17", "url": "https://files.pythonhosted.org/packages/5f/86/402d79269c6192a16bf64bac86c6ad8dc862a554edc4b1a724f2f41fab6c/analyzeMFT-2.0.0.tar.gz" } ], "2.0.10": [ { "comment_text": "", "digests": { "md5": "c6d2cf38fe33748b1adf963813a2028d", "sha256": "8d600030aa21e516fc44f5a66a8ce42ab0207adfffcf3baec608085ba5ab37c9" }, "downloads": -1, "filename": "analyzeMFT-2.0.10.tar.gz", "has_sig": false, "md5_digest": "c6d2cf38fe33748b1adf963813a2028d", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 14367, "upload_time": "2013-08-02T21:40:22", "url": "https://files.pythonhosted.org/packages/09/56/ce0eda9ef35e1855ddc05b4f053b8359c4317506460fafc7953530993393/analyzeMFT-2.0.10.tar.gz" } ], "2.0.12": [ { "comment_text": "", "digests": { "md5": "8b57e0eb0db17e4b1033df588f7fe0d7", "sha256": "a5384147334eae6cf687c0eb1d14ddf5589f1b51af50a26a07c66d8cd5cd4bd9" }, "downloads": -1, "filename": "analyzeMFT-2.0.12.tar.gz", "has_sig": false, "md5_digest": "8b57e0eb0db17e4b1033df588f7fe0d7", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 14722, "upload_time": "2014-11-23T14:30:19", "url": "https://files.pythonhosted.org/packages/f4/94/bfe3d23c845ab9f97899419049136bb9c5f2cca3c465472dc99f2f54d4c7/analyzeMFT-2.0.12.tar.gz" } ], "2.0.13": [ { "comment_text": "", "digests": { "md5": "abc9fa71b2d9e0dd3f58fd86a4c82cc2", "sha256": "3bb2d3730df01f38492d57ee3ada0e04c057148b60ae04c8570f45e484e1b0f5" }, "downloads": -1, "filename": "analyzeMFT-2.0.13.tar.gz", "has_sig": false, "md5_digest": "abc9fa71b2d9e0dd3f58fd86a4c82cc2", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 14947, "upload_time": "2014-11-25T15:05:25", "url": "https://files.pythonhosted.org/packages/1f/8c/e90f0fb0002ceb32295c03bf3e725b4da5cedf6bfae222761a30cedecc80/analyzeMFT-2.0.13.tar.gz" } ], "2.0.14": [ { "comment_text": "", "digests": { "md5": "cedce414cbccaa04a53a30fd07d654ec", "sha256": "f56801410bd23a6363f8b1089d05fe656c283b0a1e797956fcbc184bbbe46eb4" }, "downloads": -1, "filename": "analyzeMFT-2.0.14.tar.gz", "has_sig": false, "md5_digest": "cedce414cbccaa04a53a30fd07d654ec", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 14886, "upload_time": "2014-11-25T15:08:53", "url": "https://files.pythonhosted.org/packages/f1/bf/5ade55567b3a90ad602a5760d82a232d22a6b080d3bba54fa58d4346a9f6/analyzeMFT-2.0.14.tar.gz" } ], "2.0.15": [ { "comment_text": "", "digests": { "md5": "9f48b11bd64bee807a3f1135c20e8975", "sha256": "3f458a5dd3bef3cacb0ae3e363108ff2b6b71a890d98ef4a39778ac3c41c0c8d" }, "downloads": -1, "filename": "analyzeMFT-2.0.15.tar.gz", "has_sig": false, "md5_digest": "9f48b11bd64bee807a3f1135c20e8975", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 15176, "upload_time": "2015-02-08T23:52:46", "url": "https://files.pythonhosted.org/packages/5d/03/fcc1f0b89247c682d4064de88d3112415f55b6b6d89f0fb0a25f5ea9da78/analyzeMFT-2.0.15.tar.gz" } ], "2.0.16": [ { "comment_text": "", "digests": { "md5": "9c5e3cec416f39bc76642e168d3301e6", "sha256": "4759dd3038c6279aba91910f4215ad8b88aa0174e06fd099c1a868e0b78c3227" }, "downloads": -1, "filename": "analyzeMFT-2.0.16.tar.gz", "has_sig": false, "md5_digest": "9c5e3cec416f39bc76642e168d3301e6", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 15330, "upload_time": "2015-05-21T16:37:43", "url": "https://files.pythonhosted.org/packages/5d/7d/be2f21ca813c6922146c3598ae70d6650952cde025b1472ff2356de30588/analyzeMFT-2.0.16.tar.gz" } ], "2.0.17": [ { "comment_text": "", "digests": { "md5": "eddb759559e9248f8adbe62e715aefcd", "sha256": "ec2eb283f07b94e7ddc5dcb090898a9780fe9602fe47f458aa8124bfd8f3bbd6" }, "downloads": -1, "filename": "analyzeMFT-2.0.17.tar.gz", "has_sig": false, "md5_digest": "eddb759559e9248f8adbe62e715aefcd", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 15351, "upload_time": "2015-05-25T18:05:59", "url": "https://files.pythonhosted.org/packages/56/bb/91f7e366f3888a24b6731d683579fe216ab777c55b4eb2910a96bb5b093a/analyzeMFT-2.0.17.tar.gz" } ], "2.0.18": [ { "comment_text": "", "digests": { "md5": "ef6559908b6f7bb3094ea46baa842d92", "sha256": "b4a410745d139e6f4e7bc23b7d718a21c7a16e80bf489e5a1a2496dea5fde882" }, "downloads": -1, "filename": "analyzeMFT-2.0.18.tar.gz", "has_sig": false, "md5_digest": "ef6559908b6f7bb3094ea46baa842d92", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 15378, "upload_time": "2015-05-26T13:23:47", "url": "https://files.pythonhosted.org/packages/77/ed/425777402f124d46ba80b62defe14e16e859f79803ed204c33169fac734c/analyzeMFT-2.0.18.tar.gz" } ], "2.0.19": [ { "comment_text": "", "digests": { "md5": "07dc1e8faeda6bd3dd9e79db5ce33c27", "sha256": "e7bce450b58767bab48c55e7dbee8557ff142309581d24789d9510a1f3cade58" }, "downloads": -1, "filename": "analyzeMFT-2.0.19.tar.gz", "has_sig": false, "md5_digest": "07dc1e8faeda6bd3dd9e79db5ce33c27", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 15146, "upload_time": "2016-05-27T22:23:53", "url": "https://files.pythonhosted.org/packages/2e/a9/9c6ad02f88918c868b737c69eea9e775fbf96dd1c72444e1f1e7534740b8/analyzeMFT-2.0.19.tar.gz" } ], "2.0.3": [ { "comment_text": "", "digests": { "md5": "18e87f607f98f115b0e32fdef459b167", "sha256": "8c12bf243db856f2ab5e46c849349ec7bd945e8e6f19d2f99b2c7b3d91465577" }, "downloads": -1, "filename": "analyzeMFT-2.0.3.tar.gz", "has_sig": false, "md5_digest": "18e87f607f98f115b0e32fdef459b167", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 12511, "upload_time": "2013-06-23T02:09:48", "url": "https://files.pythonhosted.org/packages/a5/63/d65175d0bb3e40b5f2860be4855d63941fa54587ff193a7d2d1748a8ca74/analyzeMFT-2.0.3.tar.gz" } ], "2.0.4": [ { "comment_text": "", "digests": { "md5": "c87ec8b91c48c44a33fe35819b05c91b", "sha256": "e534d71cf59f6678200ad07ad6232d32f277159ce75c17b2c99394ccb06e4b91" }, "downloads": -1, "filename": "analyzeMFT-2.0.4.tar.gz", "has_sig": false, "md5_digest": "c87ec8b91c48c44a33fe35819b05c91b", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 12710, "upload_time": "2013-06-23T14:46:53", "url": "https://files.pythonhosted.org/packages/3a/af/0b66587c0be9f081cb617a2e3f596212c8a4ca323ce2c29469a2db96c6af/analyzeMFT-2.0.4.tar.gz" } ], "2.0.5": [ { "comment_text": "", "digests": { "md5": "358ceb17628a914dc6338f6f8e053767", "sha256": "598b407f446e48be7c3fb79f9b3b558116837eac3be6f6079d07dceb956be81e" }, "downloads": -1, "filename": "analyzeMFT-2.0.5.tar.gz", "has_sig": false, "md5_digest": "358ceb17628a914dc6338f6f8e053767", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 13516, "upload_time": "2013-07-16T19:22:13", "url": "https://files.pythonhosted.org/packages/18/69/6862745304b7e561d0ae7799dafa2d14bbd33fb4593d5035b95f5909e30d/analyzeMFT-2.0.5.tar.gz" } ], "2.0.6": [ { "comment_text": "", "digests": { "md5": "09171bf1270bb2731d402b3c92e2813a", "sha256": "e206a7f011f684980f3e6f88062aef1757706a62361e1f457155d0bb243c591f" }, "downloads": -1, "filename": "analyzeMFT-2.0.6.tar.gz", "has_sig": false, "md5_digest": "09171bf1270bb2731d402b3c92e2813a", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 13783, "upload_time": "2013-07-18T21:30:21", "url": "https://files.pythonhosted.org/packages/37/17/e80a8f79415a62a0a00e2182d567092515fbe76d43f8352bab35d5e46a7c/analyzeMFT-2.0.6.tar.gz" } ], "2.0.8": [ { "comment_text": "", "digests": { "md5": "cc6fc13a39b8ca827501837b0a0fde74", "sha256": "54bd4751c14b79a77997f5c7cbd5a40a9868446201fa671b8357213788d82ca8" }, "downloads": -1, "filename": "analyzeMFT-2.0.8.tar.gz", "has_sig": false, "md5_digest": "cc6fc13a39b8ca827501837b0a0fde74", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 14343, "upload_time": "2013-08-02T18:28:12", "url": "https://files.pythonhosted.org/packages/fa/05/63f37ac99d2fcd6aeb7e331714c906225d68e7d90d788a26728e3f3aa3ba/analyzeMFT-2.0.8.tar.gz" } ], "2.0.9": [ { "comment_text": "", "digests": { "md5": "838a2169ebc624bf80aca40fc32f18dd", "sha256": "97cc019d0d58869f04e5014d5f1ddc6ff3f12e076570ac93edff443bd566fc8b" }, "downloads": -1, "filename": "analyzeMFT-2.0.9.tar.gz", "has_sig": false, "md5_digest": "838a2169ebc624bf80aca40fc32f18dd", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 14346, "upload_time": "2013-08-02T21:06:11", "url": "https://files.pythonhosted.org/packages/60/52/61ecbeec9554847d03e36b928759cda27e69d6ba8e87667e70be4f203447/analyzeMFT-2.0.9.tar.gz" } ] }, "urls": [ { "comment_text": "", "digests": { "md5": "07dc1e8faeda6bd3dd9e79db5ce33c27", "sha256": "e7bce450b58767bab48c55e7dbee8557ff142309581d24789d9510a1f3cade58" }, "downloads": -1, "filename": "analyzeMFT-2.0.19.tar.gz", "has_sig": false, "md5_digest": "07dc1e8faeda6bd3dd9e79db5ce33c27", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 15146, "upload_time": "2016-05-27T22:23:53", "url": "https://files.pythonhosted.org/packages/2e/a9/9c6ad02f88918c868b737c69eea9e775fbf96dd1c72444e1f1e7534740b8/analyzeMFT-2.0.19.tar.gz" } ] }