This is a parser for the MFT (master file table) format.
MSRV is latest stable rust.
Python bindings are available as well at https://github.com/omerbenamram/pymft-rs (and at PyPi https://pypi.org/project/mft/)
- Implemented using 100% safe rust - and works on all platforms supported by rust (that have stdlib).
- Supports JSON and CSV outputs.
- Supports extracting resident data streams.
- Download latest executable release from https://github.com/omerbenamram/mft/releases
- Releases are automatically built for for Windows, macOS, and Linux. (64-bit executables only)
- Build from sources using
cargo install mft
The main binary utility provided with this crate is mft_dump, and it provides a quick way to convert mft snapshots to different output formats.
Some examples
mft_dump <input_file>will dump contents of mft entries as JSON.mft_dump -o csv <input_file>will dump contents of mft entries as CSV.mft_dump --extract-resident-streams <output_directory> -o json <input_file>will extract all resident streams in MFT to files in <output_directory>.
use mft::MftParser;
use mft::attribute::MftAttributeContent;
use std::path::PathBuf;
fn main() {
// Change this to a path of your MFT sample.
let fp = PathBuf::from(format!("{}/samples/MFT", std::env::var("CARGO_MANIFEST_DIR").unwrap()));
let mut parser = MftParser::from_path(fp).unwrap();
for entry in parser.iter_entries() {
match entry {
Ok(e) => {
for attribute in e.iter_attributes().filter_map(|attr| attr.ok()) {
match attribute.data {
MftAttributeContent::AttrX10(standard_info) => {
println!("\tX10 attribute: {:#?}", standard_info)
},
MftAttributeContent::AttrX30(filename_attribute) => {
println!("\tX30 attribute: {:#?}", filename_attribute)
},
_ => {
println!("\tSome other attribute: {:#?}", attribute)
}
}
}
}
Err(err) => eprintln!("{}", err),
}
}
}
![@dependabot-preview[bot]](https://avatars.githubusercontent.com/in/2141?s=64&v=4){kind=small}
