Home > analyzeMFT > analyzeMFT 2.0 released – OO’d!

analyzeMFT 2.0 released – OO’d!

Matt Sabourin created an object-oriented version of analyzeMFT.py. Most of the MFT analysis code and other logic was retained from the original version (along with the comments). The OO version is structured for importing the module directly into the python  interpreter to allow for manual interaction with the MFT. The module can also be  imported into other python scripts that need to work with an MFT.

Matt also added some new options, and the full list of options is now:

Options:
  --version             show program's version number and exit
  -h, --help            show this help message and exit
  -f FILENAME, --filename=FILENAME
                         [Required] Name of the MFT file to process.
  -d, --debug            [Optional] Turn on debugging output.
  -p, --fullpath         [Optional] Print full paths in output (see comments
                        in code).
  -n, --fntimes          [Optional] Use MAC times from FN attribute instead of
                        SI attribute.
  -a, --anomaly          [Optional] Turn on anomaly detection.
  -b BODYFILE, --bodyfile=BODYFILE
                         [Optional] Write MAC information in mactimes format
                        to this file.
  -m MOUNTPOINT, --mountpoint=MOUNTPOINT
                         [Optional] The mountpoint of the filesystem that held
                        this MFT.
  -g, --gui              [Optional] Use GUI for file selection.
  -o OUTPUT, --output=OUTPUT
                         [Optional] Write analyzeMFT results to this file.

The project is now hosted on GitHub, here.

About these ads
Categories: analyzeMFT
  1. Leon
    October 20, 2011 at 5:22 pm

    Hi David,
    Is it possible to read the MFT of a PC that is powered on and working?
    (I can dump the change journal; but it’s the MFT I am trying to invoke)

    • October 20, 2011 at 7:27 pm

      Leon,

      You can extract the $MFT from a live system using FTK Imager. analyzeMFT will not read it directly, though.

      -David

  1. July 29, 2011 at 4:17 pm

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 41 other followers

%d bloggers like this: