{ "info": { "author": "Tim Doty", "author_email": "pip@baldskirkja.com", "bugtrack_url": null, "classifiers": [], "description": "Parse MFT\n=========\n\nparseMFT.py is designed to fully parse the MFT file from an NTFS filesystem\nand present the results as accurately as possible in multiple formats. It is\nintended to be safe to use. A large MFT can require many GB of RAM to fully\nload into memory so by default an MFT is parsed in two passes: once loading\nall record names into memory and building full file paths, and a second pass\nloading only one record at a time and printing it out.\n\nNaturally a single pass is quicker: the amount of time required to process\nan MFT depends in part on the output format, but a single pass takes about\nhalf the time of the standard two pass method. In order to take advantage\nof the speed increase use the --inmemory option. However, if parseMFT thinks\nthat doing so might require more than the maximum allowed memory (4 GB by\ndefault) it will abort and report how much memory it thinks could be\nrequired to process.\n\nNote that the actual memory requirement may be substantially less: the\nestimates are intentionally conservative and -- especially for huge MFTs --\nmay substantially overestimate the actual memory requirement.\n\nInstallation\n============\nYou should soon be able to install parseMFT with pip:\n\n pip install parseMFT\n \nAlternatively:\n\n git clone https://github.com/thoromyr/parseMFT.git\n cd parseMFT\n python setup.py install (or, just run it from that directory)\n\nUsage\n=====\n
\nusage: parseMFT.py [-h] (-c | -j | -b | -g | -t) [-o FILE] [-e] [-i INDENT]\n                   [-s] [-l] [-k] [--legacy_l2t_date] [-f] [-x STRING] [-w]\n                   [--max_memory MAX_MEMORY] [-a] [-m]\n                   [--estimate_memory_only] [-p] [-d] [-v] [-q] [-V]\n                   MFT_FILE\n\nParse Windows MFT and output timeline\n\npositional arguments:\n  MFT_FILE              read MFT from FILE\n\noptional arguments:\n  -h, --help            show this help message and exit\n  -c, --csv             CSV format output\n  -j, --json            JSON format output [use --inmemory to get all data]\n  -b, --bodyfile        Bodyfile format output\n  -g, --timesketch      Timesketch compatible output\n  -t, --timeline        Plaso/log2timeline compatible output\n  -o FILE, --output FILE\n                        write results to FILE [default is STDOUT]\n  -e, --excel           Make output Excel friendly, normally used with -c\n  -i INDENT, --indent INDENT\n                        Number of spaces to indent in json output; only\n                        meaningful when used with -j\n  -s, --stdinfo         Prefer STD_INFO timestamps to FILENAME timestamps\n  -l, --localtz         Report times using local timezone\n  -k, --keep_fractional_seconds\n                        Keep fractional seconds in date/time stamps\n  --legacy_l2t_date     Use legacy l2t \"MM/DD/YYYY\" date format\n  -f, --fullpath        Bodyfile uses full path rather than just filename;\n                        ignored without -b\n  -x STRING, --invalid_data STRING\n                        Text to use for an invalid or missing data, e.g., when\n                        time is zero (1601-01-01 00:00:00) [default is an\n                        empty string]\n  -w, --windows_path    File paths should use the windows path separator\n                        instead of linux\n  --max_memory MAX_MEMORY\n                        Set the maximum memory for --inmemory [default is 4\n                        GB]\n  -a, --anomaly         Turn on anomaly detection\n  -m, --inmemory        Load in a single pass. Faster but uses more memory.\n  --estimate_memory_only\n                        Terminate after estimating the amount of memory\n                        required.\n  -p, --progress        Show systematic progress reports\n  -d, --debug           Turn on debugging output [implies -vvv, use -q to\n                        suppress verbose output]\n  -v, --verbose         Show non-fatal errors\n  -q, --quiet           Suppress error messages\n  -V, --version         show program's version number and exit\n\nTo avoid unicode errors in the console: \"export PYTHONIOENCODING=UTF-8\"\n
\n\nOutput\n======\n\nparseMFT can produce output in JSON, CSV or bodyfile format and conform to \nplaso/l2t or timesketch.\n\nCSV output\n----------\nAlthough JSON is considered to be the authoritative output format, CSV is more\ncommonly used. While technically CSV stands for \"comma separate values\" the\nformat is generalized and other characters, such as pipes, can be used as value\ndelimiters. Looked at through this lense, the bodyfile format is a CSV with\na pipe delimiter and a particular set of fields.\n\nThe 'csv' output format is then just a default set of fields (and delimiter)\nthat happens to differ from that of 'bodyfile', 'timeline' and 'timesketch'.\n\nUpdate History\n==============\n[See CHANGES.txt]\n\n- Version 0.2: csv, plaso/l2t and timesketch working correctly\n- Version 0.1: bodyfile output working correctly\n- Version 0.0: rework so that internal representation can be dumped as JSON\n\n\nInspiration\n===========\nFor an initial incident response triage was pulling the MFT but needed a quick\nway to parse it for analysis. To this end wanted something quicker/simpler than\nplaso but also that could be dumped into timesketch.\n\nThe analyzeMFT project looked good, but had a muddled internal format that\ncouldn't be cleanly dumped to JSON, plus some architectural issues that made\nthe prospect of extending it a non-starter. But it still served as a good basis.\n\nAn effort has been made to retain the same options, but some (such as using -v\nfor --version instead of --verbose) have been changed to better adhere to\ncommon conventions.\n\n\nFuture work\n===========\n\n- further improvements to internal representation\n- fully implement options\n- fix JSON output\n- read from STDIN\n- validate output\n\n\nUseful Documentation\n====================\n\n1) http://dubeyko.com/development/FileSystems/NTFS/ntfsdoc.pdf\n\n", "description_content_type": null, "docs_url": null, "download_url": "https://github.com/thoromyr/parseMFT/archive/v0.2.tar.gz", "downloads": { "last_day": -1, "last_month": -1, "last_week": -1 }, "home_page": "http://github.com/thoromyr/parseMFT", "keywords": "mft", "license": "LICENSE.txt", "maintainer": "", "maintainer_email": "", "name": "parseMFT", "package_url": "https://pypi.org/project/parseMFT/", "platform": "", "project_url": "https://pypi.org/project/parseMFT/", "project_urls": { "Download": "https://github.com/thoromyr/parseMFT/archive/v0.2.tar.gz", "Homepage": "http://github.com/thoromyr/parseMFT" }, "release_url": "https://pypi.org/project/parseMFT/0.2/", "requires_dist": null, "requires_python": "", "summary": "Parse the $MFT from an NTFS filesystem.", "version": "0.2" }, "last_serial": 3429291, "releases": { "0.2": [ { "comment_text": "", "digests": { "md5": "a0471b817359efb51e46e75647487699", "sha256": "780f86b06cd681e88912912e8c36f888e10c3b95015c8998a3d3f517f7d87194" }, "downloads": -1, "filename": "parseMFT-0.2.tar.gz", "has_sig": false, "md5_digest": "a0471b817359efb51e46e75647487699", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 21594, "upload_time": "2017-12-19T20:03:40", "url": "https://files.pythonhosted.org/packages/4d/7d/393011ba91c15197391dd3eba3fde05ee651688d81ab626d93a9ba9a34b5/parseMFT-0.2.tar.gz" } ] }, "urls": [ { "comment_text": "", "digests": { "md5": "a0471b817359efb51e46e75647487699", "sha256": "780f86b06cd681e88912912e8c36f888e10c3b95015c8998a3d3f517f7d87194" }, "downloads": -1, "filename": "parseMFT-0.2.tar.gz", "has_sig": false, "md5_digest": "a0471b817359efb51e46e75647487699", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 21594, "upload_time": "2017-12-19T20:03:40", "url": "https://files.pythonhosted.org/packages/4d/7d/393011ba91c15197391dd3eba3fde05ee651688d81ab626d93a9ba9a34b5/parseMFT-0.2.tar.gz" } ] }