1 / 8

MFT Analysis

MFT Analysis. http://www.integriography.com/ http://windowsir.blogspot.com/2010/02/mft-analysis.html. analyzeMFT. Written by David Kovar, CCE Python tool to parse $MFT Parses the attributes of each file in an NTFS file system Output is really gross CSV format

sadah
Download Presentation

MFT Analysis

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. MFT Analysis http://www.integriography.com/ http://windowsir.blogspot.com/2010/02/mft-analysis.html

  2. analyzeMFT • Written by David Kovar, CCE • Python tool to parse $MFT • Parses the attributes of each file in an NTFS file system • Output is really gross • CSV format • At least 50 entries for each file • All text • Used by other applications

  3. Output FIelds • Record Number • Good - if the entry is valid • Active - if the entry is active • Record type - the type of record • Record Sequence - the sequence number for the record • Parent Folder Record Number • Parent Folder Sequence Number • For the standard information attribute: • Creation date • Modification date • Access date • Entry date

  4. Output Fields, cont. • For up to four file name records: • File name • Creation date • Modification date • Access date • Entry date • Object ID • Birth Volume ID • Birth Object ID • Birth Domain ID

  5. Output Fields, cont. • And flags to show if each of the following attributes is present: • Standard Information, Attribute List, Filename, Object ID, Volume Name, Volume Info, Data, Index Root, Index Allocation, Bitmap, Reparse Point, EA Information, EA, Property Set, Logged Utility Stream • Notes/Log - Field used to log any significant events or observations relating to this record • std-fn-shift - Populated if anomaly detection is turned on. Y/N. Y indicates that the FN create date is later than the STD create date. • usec-zero - Populated if anomaly detection is turned on. Y/N. Y indicates that the STD create date's microsecond value is zero.

  6. I told you so! • 110575","Good","Inactive","0","5422 - 5426","3","TRANSFERMGR.EXE-24D2A23F.pf","2009/12/27 18:35:57.625000","2009/12/28 05:32:01.390625","2009/12/27 18:35:57.625000","2009/12/28 05:32:01.390625","2009/12/27 18:35:57.625000","2009/12/27 18:35:57.625000","2009/12/27 18:35:57.625000","2009/12/27 18:35:57.625000","","","","","TRANSFERMGR.EXE-24D2A23F.pf","2009/12/27 18:35:57.625000","2009/12/27 18:35:57.625000","2009/12/27 18:35:57.625000","2009/12/27 18:35:57.625000","","","","","","","","","","","True","False","False","False","False","False","True","False","False","False","False","False","False","False","False"

  7. Usage • Usage: analyzeMFT.py [options] • Options:-h, --help show this help message and exit-f FILE, --file=FILE Read MFT from FILE-o FILE, --output=FILE Write results to FILE-a, --anomaly Turn on anomaly detection-b FILE, --bodyfile=FILE Write MAC information to bodyfile-g, --gui Use GUI for file selection-d, --debug Turn on debugging output

  8. Extract the MFT • ntfscopy by Jonathan Tomczak • http:/tzworks.net >ntfscopy \$MFT ntfs.mft –image ntfs.001 –offset 0x400000 • analyzeMFT by David Kovar • Integriography.com >python c:\bin\analyzeMFT.py –f ntfs.mft –o mft.txt

More Related