The MFT is a file in Windows, which stores at least one entry per file in the file system.
These entries contain metadata about every file in the system, including its size, time and date stamps, permissions, and data content. This data is stored either in MFT entries, or in space outside the MFT that is described by MFT entries.
Ideally, once the MFT is extracted, we'd build our own MFT parser, but external tools or other libraries to parse the MFT do the job just as well or better and take way less time to implement.
However, the external tools used should be included in the project in a clean and justifiable way, so as that people can use it easily without too much of a hassle installing the tools, and so that people building other modules can use them easily as well.
The goal is to make an MFTExtractor class.
The MFT is a file in Windows, which stores at least one entry per file in the file system.
These entries contain metadata about every file in the system, including its size, time and date stamps, permissions, and data content. This data is stored either in MFT entries, or in space outside the MFT that is described by MFT entries.
https://learn.microsoft.com/en-us/windows/win32/fileio/master-file-table
To get information from the MFT to a csv, many options are available:
https://andreafortuna.org/2017/07/18/how-to-extract-data-and-timeline-from-master-file-table-on-ntfs-filesystem/ https://github.com/dkovar/analyzeMFT
Ideally, once the MFT is extracted, we'd build our own MFT parser, but external tools or other libraries to parse the MFT do the job just as well or better and take way less time to implement.
However, the external tools used should be included in the project in a clean and justifiable way, so as that people can use it easily without too much of a hassle installing the tools, and so that people building other modules can use them easily as well.
Functions should be documented using Sphinx docstrings, as per this issue: https://github.com/CTM1/win_ewf_extract/issues/4