|Name : analyzeMFT
|Version : 2.0.4
||Vendor : obs://build_opensuse_org/home:gregfreemyer:Tools-for-forensic-boot-cd
|Release : 5.1
||Date : 2014-10-15 17:28:37
|Group : Development/Libraries/Python
||Source RPM : analyzeMFT-2.0.4-5.1.src.rpm
|Size : 0.08 MB
|Packager : (none)
|Summary : A Python tool to deconstruct the Windows NTFS $MFT file
|Description : |
analyzeMFT.py is designed to fully parse the MFT file from an NTFS filesystem and present the results as accurately as possible in a format that allows further analysis with other tools. At present, it parses the attributes from a $MFT file to produce the following output:
Good - if the entry is valid
Active - if the entry is active
Record type - the type of record
Record Sequence - the sequence number for the record
Parent Folder Record Number
Parent Folder Sequence Number
For the standard information attribute:
For up to four file name records:
Birth Volume ID
Birth Object ID
Birth Domain ID
And flags to show if each of the following attributes is present:
Standard Information, Attribute List, Filename, Object ID, Volume Name, Volume Info, Data, Index Root, Index Allocation, Bitmap, Reparse Point, EA Information, EA, Property Set, Logged Utility Stream
Notes/Log - Field used to log any significant events or observations relating to this record
std-fn-shift - Populated if anomaly detection is turned on. Y/N. Y indicates that the FN create date is later than the STD create date.
usec-zero - Populated if anomaly detection is turned on. Y/N. Y indicates that the STD create date\'s microsecond value is zero.
For each entry in the MFT a record is written to an output file in CSV format.
Major contributions from Matt Sabourin.
RPM found in directory: /mirror/ftp5.gwdg.de/pub/opensuse/repositories/home:/gregfreemyer:/Tools-for-forensic-boot-cd/openSUSE_13.1/noarch