I started rewriting analyzeMFT so that it can be loaded as a module and called from other programs. The primary reason is to enable including it in plaso, but perhaps other programs will find a need for it.
The work isn’t done yet, but it is usable as a standalone program still and it has some improved handling of corrupt MFT records so I decided to release it.
Quick install:
- git clone https://github.com/dkovar/analyzeMFT.git
- cd analyzeMFT/analyzemft
- python analyzeMFT
Once I finish the work I’ll also make a zip file available.
Notes:
- All output between the new and old version is identical except in cases where records are corrupt or incomplete. In those cases, the new output is more accurate.
- There is a lot of strangeness going on in MFT records. In restructuring analyzeMFT, I found a number of conditions that I failed to check for but which accidentally didn’t throw errors. For example, there are MFT records with no Standard Information attributes.
- Detection of Orphan records, my term, has been improved. Additional research is required to determine what causes them to occur.
- Processing time improved slightly
