diff options
author | Matthew Seyer <matthew.seyer@gmail.com> | 2017-06-24 05:26:03 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2017-06-24 05:26:03 +0300 |
commit | a958466ca2aca0d1935eb60bae175375accf21ba (patch) | |
tree | 5259aaba6565dbc9f817825d13fdb8bc252dade6 | |
parent | 5c7adea22e50c31bd12c1030081b3703ad345fcf (diff) |
Update README.md
-rw-r--r-- | README.md | 104 |
1 files changed, 21 insertions, 83 deletions
@@ -1,85 +1,23 @@ -# RustyMft -MFT to JSON +A fast and cross platform MFT Parser written in Rust that gives you the ability to query the records via JMES Query. Output is JSONL (http://jsonlines.org/). -## Example output -``` json -{ - "header": { - "signature": 1162627398, - "usa_offset": 48, - "usa_size": 3, - "logfile_sequence_number": "53754616884", - "sequence": 5, - "hard_link_count": 2, - "fst_attr_offset": 56, - "flags": "ALLOCATED", - "entry_size_real": 480, - "entry_size_allocated": 1024, - "base_reference": { - "reference": "0", - "entry": 0, - "sequence": 0 - }, - "next_attribute_id": 5, - "record_number": 47932, - "update_sequence_value": 0, - "entry_reference": { - "reference": "1407374883601212", - "entry": 47932, - "sequence": 5 - } - }, - "attr_standard_info": [{ - "created": "2013-10-22 16:31:15.796", - "modified": "2013-10-22 16:39:29.450", - "mft_modified": "2013-10-23 02:56:59.811", - "accessed": "2013-10-22 16:31:15.796", - "file_flags": 8224, - "max_version": 0, - "version": 0, - "class_id": 0, - "owner_id": 0, - "security_id": 2604, - "quota": "0", - "usn": "20377883648" - }], - "attr_filename": [{ - "parent": { - "reference": "562949953700461", - "entry": 279149, - "sequence": 2 - }, - "created": "2013-10-22 16:31:15.796", - "modified": "2013-10-22 16:31:15.796", - "mft_modified": "2013-10-22 16:31:15.796", - "accessed": "2013-10-22 16:31:15.796", - "logical_size": "0", - "physical_size": "0", - "flags": 8224, - "reparse_value": 0, - "name_length": 11, - "namespace": 2, - "name": "SDELET~1.PF", - "fullname": "Windows/Prefetch/SDELET~1.PF" - }, - { - "parent": { - "reference": "562949953700461", - "entry": 279149, - "sequence": 2 - }, - "created": "2013-10-22 16:31:15.796", - "modified": "2013-10-22 16:31:15.796", - "mft_modified": "2013-10-22 16:31:15.796", - "accessed": "2013-10-22 16:31:15.796", - "logical_size": "0", - "physical_size": "0", - "flags": 8224, - "reparse_value": 0, - "name_length": 23, - "namespace": 1, - "name": "SDELETE.EXE-88F94BEB.pf", - "fullname": "Windows/Prefetch/SDELETE.EXE-88F94BEB.pf" - }] -} ``` +RustyMft 0.1.0 +Matthew Seyer <https://github.com/forensicmatt/RustyMft> +Parse $MFT. + +USAGE: + RustyMft.exe [FLAGS] [OPTIONS] --source <FILE> + +FLAGS: + -b, --bool_expr JMES Query as bool only. (Prints whole record if true.) + -h, --help Prints help information + -V, --version Prints version information + +OPTIONS: + -q, --query <QUERY> JMES Query + -s, --source <FILE> The source path. Can be a file or a directory. +``` + +## Output +The output is written to stdout as a json list of records. + |