Downloads:
257
Downloads of v 2.0.0.50:
19
Last Update:
26 Apr 2024
Published Date:
26 Apr 2024
Reviewed Date:
26 Apr 2024
Reviewer:
Package Maintainer(s):
Software Author(s):
- Joakim Schicht
Tags:
mft2csv mft to csv ntfs digital forensics incident response dfir- Software Specific:
- Software Site
- Software Source
- Software License
- Software Docs
- Software Issues
- Package Specific:
- Package Source
- Package outdated?
- Package broken?
- Contact Maintainers
- Contact Site Admins
- Software Vendor?
- Report Abuse
- Download
Mft2Csv
(Ready for review)
- 1
- 2
- 3
2.0.0.50 | Updated: 26 Apr 2024
- Software Specific:
- Software Site
- Software Source
- Software License
- Software Docs
- Software Issues
- Package Specific:
- Package Source
- Package outdated?
- Package broken?
- Contact Maintainers
- Contact Site Admins
- Software Vendor?
- Report Abuse
- Download
Downloads:
257
Downloads of v 2.0.0.50:
19
Published:
26 Apr 2024
Reviewed:
26 Apr 2024
Reviewer:
Maintainer(s):
Software Author(s):
- Joakim Schicht
Mft2Csv 2.0.0.50
(Ready for review)
- 1
- 2
- 3
Some Checks Have Failed or Are Not Yet Complete
Not All Tests Have Passed
This version is in moderation and has not yet been approved. This means it doesn't show up under normal search.
- Until approved, you should consider this package version unsafe - it could do very bad things to your system (it probably doesn't but you have been warned, that's why we have moderation).
- This package version can change wildly over the course of moderation until it is approved. If you install it and it later has changes to this version, you will be out of sync with any changes that have been made to the package. Until approved, you should consider that this package version doesn't even exist.
- You cannot install this package under normal scenarios. See How to install package version under moderation for more information.
- There are also no guarantees that it will be approved.
There are versions of this package awaiting moderation (possibly just this one). See the Version History section below.
Introduction
This tool is for parsing, decoding and logging information from the Master File Table ($MFT) to a csv. It is logging a large amount of data and that has been the main purpose from the very start. Having all this data in a csv is convenient for further analysis. It supports getting the $MFT from a variety of sources.
Details
Input can be any of the following:
Raw/dd image of disk (MBR and GPT supported)
Raw/dd image of partition
$MFT extracted file
Reading of $MFT directly from a live system
Reading of $MFT by accessing .\PhysicalDriveN directly (no mount point needed).
Reading of $MFT directly from within shadow copies.
$MFT fragments extracted from memory dumps or unallocated (see MFTCarver).
Single records extracted. See MftRcrd with the -w switch.
There is an option to choose which UTC region to decode for. For instance you have a disk image and the target system had a timezone configuration of UTC -9.30, then you can configure it like that and get the timestamps directly into UTC 0.00. Default is UTC 0.00, and if running on a live system, there is no need to do anything as timestamps are automatically set to UTC 0.00.
The format of output can be chosen. Currently it is possible to choose from:
All (will write to csv everything it can). Default set.
log2timeline: http://code.google.com/p/log2timeline/wiki/l2t_csv
bodyfile (v3.x): http://wiki.sleuthkit.org/index.php?title=Body_file
It is possible to parse broken/partial $MFT by configuring "Broken $MFT". This setting is necessary if for instance index number 0 is missing (the record for $MFT itself).
Also it is possible to configure the tool to skip fixups. This is something you may want if you are working on memory dumps. If so, you need to run MFTCarver on the memdump first. Then run mft2csv on the output file from MFTCarver. Must have both "Broken $MFT" and "Skip Fixups" configured in such a case.
Note on VirusTotal detections
This application is a compiled AutoIt script.
AutoIt scripts packaged in this way are often incorrectly flagged as malware.
This is issue is documented in the AutoIt Wiki here: https://www.autoitscript.com/wiki/AutoIt_and_Malware
From: https://github.com/jschicht/Mft2Csv/blob/master/LICENSE.md
LICENSE
MIT License
Copyright (c) 2022 Joakim Schicht
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
md5: DCE90E51ACA08B63AD5D6C562B52A346 | sha1: 233A191B8F7E093A149CFF238F96F69EB2DD2EC2 | sha256: FAA2FB4E07CAB51AAB9576A68EDB8641CB2FDEF0C5DD56282FF14943F332A71F | sha512: AB16572041DC8CFC4423B7A2F0415A2D110E5904A242C021E3895D783291F916AB78504C693C2B134AA2C1F6BB944F5D1E05476C16272941B4598FA4F61B003B
VERIFICATION
Verification is intended to assist the Chocolatey moderators and community
in verifying that this package's contents are trustworthy.
Download zip package:
URL: https://github.com/jschicht/Mft2Csv/releases/download/v2.0.0.50/Mft2Csv_v2.0.0.50.zip
Compare the SHA256 hash of the downloaded zip package with that of the embedded zip package:
SHA256: FAA2FB4E07CAB51AAB9576A68EDB8641CB2FDEF0C5DD56282FF14943F332A71F
Log in or click on link to see number of positives.
- Mft2Csv_v2.0.0.50.zip (faa2fb4e07ca) - ## / 65
- Mft2Csv.exe (9013f49aea38) - ## / 72
- Mft2Csv64.exe (4cda46cff909) - ## / 69
- mft2csv.2.0.0.50.nupkg (93967a47579a) - ## / 63
In cases where actual malware is found, the packages are subject to removal. Software sometimes has false positives. Moderators do not necessarily validate the safety of the underlying software, only that a package retrieves software from the official distribution point and/or validate embedded software against official distribution point (where distribution rights allow redistribution).
Chocolatey Pro provides runtime protection from possible malware.
Add to Builder | Version | Downloads | Last Updated | Status |
---|---|---|---|---|
Mft2Csv 2.0.0.50 | 19 | Friday, April 26, 2024 | Ready | |
Mft2Csv 2.0.0.49 | 238 | Thursday, January 5, 2023 | Approved |
2022 Joakim Schicht
This package has no dependencies.
Ground Rules:
- This discussion is only about Mft2Csv and the Mft2Csv package. If you have feedback for Chocolatey, please contact the Google Group.
- This discussion will carry over multiple versions. If you have a comment about a particular version, please note that in your comments.
- The maintainers of this Chocolatey Package will be notified about new comments that are posted to this Disqus thread, however, it is NOT a guarantee that you will get a response. If you do not hear back from the maintainers after posting a message below, please follow up by using the link on the left side of this page or follow this link to contact maintainers. If you still hear nothing back, please follow the package triage process.
- Tell us what you love about the package or Mft2Csv, or tell us what needs improvement.
- Share your experiences with the package, or extra configuration or gotchas that you've found.
- If you use a url, the comment will be flagged for moderation until you've been whitelisted. Disqus moderated comments are approved on a weekly schedule if not sooner. It could take between 1-5 days for your comment to show up.
sustainablelobster (maintainer) on 20 Dec 2023 00:02:19 +00:00:
User 'sustainablelobster' (maintainer) submitted package.
chocolatey-ops (reviewer) on 20 Dec 2023 00:33:27 +00:00:
mft2csv has passed automated validation. It may have or may still fail other checks like testing (verification).
NOTE: No required changes that the validator checks have been flagged! It is appreciated if you fix other items, but only Requirements will hold up a package version from approval. A human review could still turn up issues a computer may not easily find.
Guidelines
Guidelines are strong suggestions that improve the quality of a package version. These are considered something to fix for next time to increase the quality of the package. Over time Guidelines can become Requirements. A package version can be approved without addressing Guideline comments but will reduce the quality of the package.
Notes
Notes typically flag things for both you and the reviewer to go over. Sometimes this is the use of things that may or may not be necessary given the constraints of what you are trying to do and/or are harder for automation to flag for other reasons. Items found in Notes might be Requirements depending on the context. A package version can be approved without addressing Note comments.
chocolatey-ops (reviewer) on 20 Dec 2023 00:36:15 +00:00:
mft2csv has passed automated package testing (verification). The next step in the process is package scanning.
Please visit https://gist.github.com/choco-bot/fb40fb6d423f389800eee37de4340574 for details.
This is an FYI only. There is no action you need to take.
chocolatey-ops (reviewer) on 20 Dec 2023 12:47:10 +00:00:
mft2csv has been flagged as part of automated virus scanning.
Package virus scanning found that at least 1 file within, or downloaded by, the package has between 6 and 10 VirusTotal detections associated with it.
This package version cannot be approved without an exemption from a Moderator.
flcdrg (reviewer) on 30 Dec 2023 03:15:58 +00:00:
Please resolve these to allow this package to be approved:
thanks,
David
chocolatey-ops (reviewer) on 19 Jan 2024 03:16:38 +00:00:
We've found mft2csv v2.0.0.50 in a submitted status and waiting for your next actions. It has had no updates for 20 or more days since a reviewer has asked for corrections. Please note that if there is no response or fix of the package within 15 days of this message, this package version will automatically be closed (rejected) due to being stale.
Take action:
If your package is failing automated testing, you can use the chocolatey test environment to manually run the verification and determine what may need to be fixed.
Note: We don't like to see packages automatically rejected. It doesn't mean that we don't value your contributions, just that we can not continue to hold packages versions in a waiting status that have possibly been abandoned. If you don't believe you will be able to fix up this version of the package within 15 days, we strongly urge you to log in to the site and respond to the review comments until you are able to.
chocolatey-ops (reviewer) on 03 Feb 2024 03:18:07 +00:00:
Unfortunately there has not been progress to move mft2csv v2.0.0.50 towards an approved status within 15 days after the last review message, so we need to close (reject) the package version at this time. If you want to pick this version up and move it towards approval in the future, use the contact site admins link on the package page and we can move it back into a submitted status so you can submit updates.
Status Change - Changed status of package from 'submitted' to 'rejected'.
gep13 (reviewer) on 26 Apr 2024 12:28:32 +00:00:
Moving this back to submitted as requested via email.
Status Change - Changed status of package from 'rejected' to 'submitted'.
sustainablelobster (maintainer) on 26 Apr 2024 12:39:53 +00:00:
User 'sustainablelobster' (maintainer) submitted package.
chocolatey-ops (reviewer) on 26 Apr 2024 13:15:24 +00:00:
mft2csv has passed automated validation. It may have or may still fail other checks like testing (verification).
NOTE: No required changes that the validator checks have been flagged! It is appreciated if you fix other items, but only Requirements will hold up a package version from approval. A human review could still turn up issues a computer may not easily find.
Guidelines
Guidelines are strong suggestions that improve the quality of a package version. These are considered something to fix for next time to increase the quality of the package. Over time Guidelines can become Requirements. A package version can be approved without addressing Guideline comments but will reduce the quality of the package.
Notes
Notes typically flag things for both you and the reviewer to go over. Sometimes this is the use of things that may or may not be necessary given the constraints of what you are trying to do and/or are harder for automation to flag for other reasons. Items found in Notes might be Requirements depending on the context. A package version can be approved without addressing Note comments.
chocolatey-ops (reviewer) on 26 Apr 2024 13:22:09 +00:00:
mft2csv has passed automated package testing (verification). The next step in the process is package scanning.
Please visit https://gist.github.com/choco-bot/a470522c6a1b4962b26574142789e47c for details.
This is an FYI only. There is no action you need to take.
chocolatey-ops (reviewer) on 26 Apr 2024 13:35:15 +00:00:
mft2csv has been flagged as part of automated virus scanning.
Package virus scanning found that at least 1 file within, or downloaded by, the package has between 6 and 10 VirusTotal detections associated with it.
This package version cannot be approved without an exemption from a Moderator.