Home
> analyzeMFT > analyzeMFT 2.0 released – OO’d!
analyzeMFT 2.0 released – OO’d!
Matt Sabourin created an object-oriented version of analyzeMFT.py. Most of the MFT analysis code and other logic was retained from the original version (along with the comments). The OO version is structured for importing the module directly into the python interpreter to allow for manual interaction with the MFT. The module can also be imported into other python scripts that need to work with an MFT.
Matt also added some new options, and the full list of options is now:
Options: --version show program's version number and exit -h, --help show this help message and exit -f FILENAME, --filename=FILENAME [Required] Name of the MFT file to process. -d, --debug [Optional] Turn on debugging output. -p, --fullpath [Optional] Print full paths in output (see comments in code). -n, --fntimes [Optional] Use MAC times from FN attribute instead of SI attribute. -a, --anomaly [Optional] Turn on anomaly detection. -b BODYFILE, --bodyfile=BODYFILE [Optional] Write MAC information in mactimes format to this file. -m MOUNTPOINT, --mountpoint=MOUNTPOINT [Optional] The mountpoint of the filesystem that held this MFT. -g, --gui [Optional] Use GUI for file selection. -o OUTPUT, --output=OUTPUT [Optional] Write analyzeMFT results to this file.
The project is now hosted on GitHub, here.
Categories: analyzeMFT
Hi David,
Is it possible to read the MFT of a PC that is powered on and working?
(I can dump the change journal; but it’s the MFT I am trying to invoke)
Leon,
You can extract the $MFT from a live system using FTK Imager. analyzeMFT will not read it directly, though.
-David