Home
> analyzeMFT > Improved bodyfile support
Improved bodyfile support
With more thanks to Jamie for the prompting, I’ve improved bodyfile support in the latest version of analyzeMFT.
- You can now specify just a bodyfile for output and do not need to create a normal output file as well.
- The real (not allocated) file size is included
- If you use the –bodypath option, it writes out the full path to the file rather than just the file name
- If you use the –bodystd option, it uses the STD_INFO timestamps rather than just the FN timestamps. I find STD_INFO to be more interesting….
This is a pretty significant fix and I would suggest upgrading if you create timelines with analyzeMFT.
Links:
Git: git clone https://github.com/dkovar/analyzeMFT.git
Code: https://github.com/dkovar/analyzeMFT/blob/master/analyzeMFT.py
Categories: analyzeMFT
Integriography: A Journal of Broken Locks, Ethics, and Computer Forensics 
Hi Dave, I was recently reading a post by Corey Harrell how he used your analyzeMFT tool to create a timeline. The output file was a .csv with file name and path with the MACB included. The output columns were date,time,MACB,sourcetype, and short (filename path). I am attempting to create the same output with my MFT sample, however I cant seem to reproduce what Corey did. Could you please advise me on the command input, switches to get the desired result. Many thanks.
Ref: http://journeyintoir.blogspot.com/2012/12/extracting-zeroaccess-from-ntfs.html
Greetings,
There are three options for writing results out:
-o FILE, –output=FILE
write results to FILE
-b FILE, –bodyfile=FILE
write MAC information to bodyfile
-c FILE, –csvtimefile=FILE
write CSV format timeline file
Corey was probably using the “-c FILE” option.
-David
Dave, Thank you for your prompt reply. I am still getting an error when I use the below command line.
analyzeMFT.py –f $MFT –c Results.csv
-o filename or –b filename required.
Sorry, Im a little lost on the required order of the switches.