analyzeMFT 2.0 released – OO’d!
Matt Sabourin created an object-oriented version of analyzeMFT.py. Most of the MFT analysis code and other logic was retained from the original version (along with the comments). The OO version is structured for importing the module directly into the python interpreter to allow for manual interaction with the MFT. The module can also be imported into other python scripts that need to work with an MFT.
Matt also added some new options, and the full list of options is now:
Options: --version show program's version number and exit -h, --help show this help message and exit -f FILENAME, --filename=FILENAME [Required] Name of the MFT file to process. -d, --debug [Optional] Turn on debugging output. -p, --fullpath [Optional] Print full paths in output (see comments in code). -n, --fntimes [Optional] Use MAC times from FN attribute instead of SI attribute. -a, --anomaly [Optional] Turn on anomaly detection. -b BODYFILE, --bodyfile=BODYFILE [Optional] Write MAC information in mactimes format to this file. -m MOUNTPOINT, --mountpoint=MOUNTPOINT [Optional] The mountpoint of the filesystem that held this MFT. -g, --gui [Optional] Use GUI for file selection. -o OUTPUT, --output=OUTPUT [Optional] Write analyzeMFT results to this file.
The project is now hosted on GitHub, here.