Command line usage about mft2csv HOT 9 CLOSED

Hello,

I would also find the ability extremely useful, and greatly appreciated. Many times we are automating creating timelines from MFT files from hundreds of computers. The ability to use your tool in a command line format would be awesome as we would be able to script it out.

from mft2csv.

Would MFTRCRD be that?

from mft2csv.

It looks like MFTRCRD is for dumping information for one specific file, and not the whole MFT record :( Unless I am missing something...

Usage: "MFTRCRD param1 param2 param3"

param1 can be a valid file path or an IndexNumber ($MFT record number)

from mft2csv.

The MFTRCRD tool was only meant to provide a means of quick dump/decode of
individual records (and the syntax is stupid). Regarding Mft2Csv, a
commandline interface would indeed be interesting, and might not be very
dificult to implement. I'll think about it. Is it safe to assume that
inputs usually would be extracted $MFT or disk/volume image file?

On 15 September 2015 at 23:17, Mari DeGrazia [email protected]
wrote:

It looks like MFTRCRD is for dumping information for one specific file,
and not the whole MFT record :( Unless I am missing something...

Usage: "MFTRCRD param1 param2 param3"

param1 can be a valid file path or an IndexNumber ($MFT record number)

—
Reply to this email directly or view it on GitHub
#1 (comment).

Regards,
Joakim

from mft2csv.

That is correct. In our usage scenario, we extract the $MFT file rather then take a full disk image when we need to do triage on a system. If it is implemented, I would be happy to buy you buy you a much deserved beer.

from mft2csv.

@mdegrazia just an fyi I switched over to mftdump and it works great from the command line:

http://malware-hunters.net/2012/09/13/mftdump-v-1-3-0-released/

from mft2csv.

One issue I noticed with MFTdump is that it does not correctly supply the parent directory of deleted files. This is addressed in the documentation, "Yes. You cannot rely on the file path information field for deleted files. That is why the path information provided for deleted files have “?” marks at the beginning and end."

While the '?' lets the examiner know that the path may be incorrect, MFT2CSV handles this output a bit better. MFT2CSV supplies the correct file path associated with the deleted file, and leaves off the incorrect path which is usually appended in front of the correct path by other tools . I have some test data I can post later demonstrating this.

from mft2csv.

Good news is the new version with support for commandline mode is almost finished. Just doing some final tests.

from mft2csv.

Commandline support implemented.

from mft2csv.