Archive
Improved bodyfile support
With more thanks to Jamie for the prompting, I’ve improved bodyfile support in the latest version of analyzeMFT.
- You can now specify just a bodyfile for output and do not need to create a normal output file as well.
- The real (not allocated) file size is included
- If you use the –bodypath option, it writes out the full path to the file rather than just the file name
- If you use the –bodystd option, it uses the STD_INFO timestamps rather than just the FN timestamps. I find STD_INFO to be more interesting….
This is a pretty significant fix and I would suggest upgrading if you create timelines with analyzeMFT.
Links:
Git: git clone https://github.com/dkovar/analyzeMFT.git
Code: https://github.com/dkovar/analyzeMFT/blob/master/analyzeMFT.py
Updated analyzeMFT – fixed MFT record number reporting
When I originally wrote analyzeMFT I assumed that the MFT record numbers would start at zero and politely increase by one for each record so “recordNumber = recordNumber + 1” would be valid. Happily, this worked, apparently for years. That is, until Jamie threw corrupted MFT files at it, such as MFT records extracted from memory.
- The sequence numbers had gaps
- If there was a gap, then the actual sequence number wouldn’t match the reported sequence number
- Determination of the file path might be off as the parent record number pulled from the entry might now point to the wrong entry
Oooops.
This has been fixed.
I also fixed the handling of orphan files, those files that had a null parent or whose parent was a file.
This is a pretty significant fix and I would suggest upgrading.
Links:
Git: git clone https://github.com/dkovar/analyzeMFT.git
Code: https://github.com/dkovar/analyzeMFT/blob/master/analyzeMFT.py
Integriography: A Journal of Broken Locks, Ethics, and Computer Forensics 