Lib.rs

Parser implementations
#windows-file #data-stream #csv #table #safe #output-format #binary-data

bin+lib mft

A Fast (and safe) parser for the Windows Master File Table (MFT) format

by Omer BenAmram and 4 contributors

14 releases

0.6.1 Feb 18, 2023
0.6.0 Jan 6, 2022
0.5.3 Apr 14, 2020
0.5.1 Feb 6, 2020
0.4.4 Jun 19, 2019

#1571 in Parser implementations

Download history 1367/week @ 2024-06-18 851/week @ 2024-06-25 1168/week @ 2024-07-02 1198/week @ 2024-07-09 1093/week @ 2024-07-16 2061/week @ 2024-07-23 2699/week @ 2024-07-30 2553/week @ 2024-08-06 1739/week @ 2024-08-13 1685/week @ 2024-08-20 1946/week @ 2024-08-27 1973/week @ 2024-09-03 2352/week @ 2024-09-10 1663/week @ 2024-09-17 1998/week @ 2024-09-24 901/week @ 2024-10-01

7,121 downloads per month
Used in 3 crates

MIT/Apache

1.5MB
2K SLoC

Build Status crates.io

MFT

This is a parser for the MFT (master file table) format.

MSRV is latest stable rust.

Documentation

Python bindings are available as well at https://github.com/omerbenamram/pymft-rs (and at PyPi https://pypi.org/project/mft/)

Features

  • Implemented using 100% safe rust - and works on all platforms supported by rust (that have stdlib).
  • Supports JSON and CSV outputs.
  • Supports extracting resident data streams.

Installation (associated binary utility):

  • Download latest executable release from https://github.com/omerbenamram/mft/releases
    • Releases are automatically built for for Windows, macOS, and Linux. (64-bit executables only)
  • Build from sources using cargo install mft

mft_dump (Binary utility):

The main binary utility provided with this crate is mft_dump, and it provides a quick way to convert mft snapshots to different output formats.

Some examples

  • mft_dump <input_file> will dump contents of mft entries as JSON.
  • mft_dump -o csv <input_file> will dump contents of mft entries as CSV.
  • mft_dump --extract-resident-streams <output_directory> -o json <input_file> will extract all resident streams in MFT to files in <output_directory>.

Library usage:

use mft::MftParser;
use mft::attribute::MftAttributeContent;
use std::path::PathBuf;

fn main() {
    // Change this to a path of your MFT sample. 
    let fp = PathBuf::from(format!("{}/samples/MFT", std::env::var("CARGO_MANIFEST_DIR").unwrap())); 
    
    let mut parser = MftParser::from_path(fp).unwrap();
    for entry in parser.iter_entries() {
        match entry {
            Ok(e) =>  {
                for attribute in e.iter_attributes().filter_map(|attr| attr.ok()) {
                    match attribute.data {
                        MftAttributeContent::AttrX10(standard_info) => {
                            println!("\tX10 attribute: {:#?}", standard_info)         
                        },
                        MftAttributeContent::AttrX30(filename_attribute) => {
                            println!("\tX30 attribute: {:#?}", filename_attribute)         
                        },
                        _ => {
                            println!("\tSome other attribute: {:#?}", attribute)
                        }
                    }
                   
                }
            }
            Err(err) => eprintln!("{}", err),
        }
    }
}

Thanks/Resources:

Dependencies

~8–17MB
~211K SLoC