1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
|
# RustyMft
MFT to JSON
## Example output
``` json
{
"header": {
"signature": 1162627398,
"usa_offset": 48,
"usa_size": 3,
"logfile_sequence_number": "53754616884",
"sequence": 5,
"hard_link_count": 2,
"fst_attr_offset": 56,
"flags": "ALLOCATED",
"entry_size_real": 480,
"entry_size_allocated": 1024,
"base_reference": {
"reference": "0",
"entry": 0,
"sequence": 0
},
"next_attribute_id": 5,
"record_number": 47932,
"update_sequence_value": 0,
"entry_reference": {
"reference": "1407374883601212",
"entry": 47932,
"sequence": 5
}
},
"attr_standard_info": [{
"created": "2013-10-22 16:31:15.796",
"modified": "2013-10-22 16:39:29.450",
"mft_modified": "2013-10-23 02:56:59.811",
"accessed": "2013-10-22 16:31:15.796",
"file_flags": 8224,
"max_version": 0,
"version": 0,
"class_id": 0,
"owner_id": 0,
"security_id": 2604,
"quota": "0",
"usn": "20377883648"
}],
"attr_filename": [{
"parent": {
"reference": "562949953700461",
"entry": 279149,
"sequence": 2
},
"created": "2013-10-22 16:31:15.796",
"modified": "2013-10-22 16:31:15.796",
"mft_modified": "2013-10-22 16:31:15.796",
"accessed": "2013-10-22 16:31:15.796",
"logical_size": "0",
"physical_size": "0",
"flags": 8224,
"reparse_value": 0,
"name_length": 11,
"namespace": 2,
"name": "SDELET~1.PF",
"fullname": "Windows/Prefetch/SDELET~1.PF"
},
{
"parent": {
"reference": "562949953700461",
"entry": 279149,
"sequence": 2
},
"created": "2013-10-22 16:31:15.796",
"modified": "2013-10-22 16:31:15.796",
"mft_modified": "2013-10-22 16:31:15.796",
"accessed": "2013-10-22 16:31:15.796",
"logical_size": "0",
"physical_size": "0",
"flags": 8224,
"reparse_value": 0,
"name_length": 23,
"namespace": 1,
"name": "SDELETE.EXE-88F94BEB.pf",
"fullname": "Windows/Prefetch/SDELETE.EXE-88F94BEB.pf"
}]
}
```
|
