parse_mft

Plugin

ArgDescriptionType
filenameThe MFT file.string (required)
accessorThe accessor to use.string

Description

Scan the $MFT from an NTFS volume.

This plugin expect an $MFT file to operate on. For example, it is commonly used with the ’ntfs’ accessor which opens the local raw device to provide access to the $MFT

SELECT * FROM parse_mft(filename="C:/$MFT", accessor="ntfs")

For parsing from an image file, you can extract the $MFT file using the raw_ntfs accessor (which operates on images).

SELECT * FROM parse_mft(
     filename=pathspec(
       Path="$MFT",
       DelegateAccessor="file",
       DelegatePath='ntfs_image.dd'),
     accessor="raw_ntfs")
comments powered by Disqus