search

omerbenamram / mft

A parser for the MFT (Master File Table) format
Apache License 2.0
125 stars 18 forks source link

Added MftEntry::from_buffer_skip_fixup() #20

Closed forensicmatt closed 5 years ago

forensicmatt commented 5 years ago

I added the function MftEntry::from_buffer_skip_fixup() to get a MftEntry from a buffer that already has fixup values applied. It is rare that this is a scenario, but the scenario does exist. For example, I can use the Windows API to get an MFT Entry buffer via this DeviceIoControl (https://docs.microsoft.com/en-us/windows/win32/api/winioctl/ni-winioctl-fsctl_get_ntfs_file_record). The return buffer has the fixup already applied, thus, using MftEntry::from_buffer() fails because of the fixup validation. However, by skipping the fixup, I can use MftEntry with these buffers. I am going to use this in my USN monitor to enumerate full paths for live monitoring.

forensicmatt commented 5 years ago

any chance you could make a new release so this change is available via cargo?