analyzeMFT - A Python tool to deconstruct the Windows NTFS $MFT file

Property Value
Distribution openSUSE Tumbleweed
Repository openSUSE Oss all
Package filename analyzeMFT-2.0.4-1.9.noarch.rpm
Package name analyzeMFT
Package version 2.0.4
Package release 1.9
Package architecture noarch
Package type rpm
Category Development/Libraries/Python
License CPL-1.0
Maintainer -
Download size 29.70 KB
Installed size 78.51 KB is designed to fully parse the MFT file from an NTFS filesystem and present the results as accurately as possible in a format that allows further analysis with other tools. At present, it parses the attributes from a $MFT file to produce the following output:
Record Number
Good - if the entry is valid
Active - if the entry is active
Record type - the type of record
Record Sequence - the sequence number for the record
Parent Folder Record Number
Parent Folder Sequence Number
For the standard information attribute:
Creation date
Modification date
Access date
Entry date
For up to four file name records:
File name
Creation date
Modification date
Access date
Entry date
Object ID
Birth Volume ID
Birth Object ID
Birth Domain ID
And flags to show if each of the following attributes is present:
Standard Information, Attribute List, Filename, Object ID, Volume Name, Volume Info, Data, Index Root, Index Allocation, Bitmap, Reparse Point, EA Information, EA, Property Set, Logged Utility Stream
Notes/Log - Field used to log any significant events or observations relating to this record
std-fn-shift - Populated if anomaly detection is turned on. Y/N. Y indicates that the FN create date is later than the STD create date.
usec-zero - Populated if anomaly detection is turned on. Y/N. Y indicates that the STD create date's microsecond value is zero.
For each entry in the MFT a record is written to an output file in CSV format.
Major contributions from Matt Sabourin.


Package Version Architecture Repository
analyzeMFT - - -


Name Value
/usr/bin/python -
python -
python(abi) = 2.7
python-tk -


Name Value
analyzeMFT = 2.0.4-1.9


Type URL
Binary Package analyzeMFT-2.0.4-1.9.noarch.rpm
Source Package analyzeMFT-2.0.4-1.9.src.rpm

Install Howto

Install analyzeMFT rpm package:

# zypper install analyzeMFT




2014-09-11 -
- update to v2.0.4
* converted to a module
* setup for pypi
- updated Url and Source fields
- use newly available python install
- updated %files section since this is now a more traditional python package
2012-02-18 -
- initial package submission
A Python tool to deconstruct the Windows NTFS $MFT file

See Also

Package Description
angelscript-2.33.0-1.1.i586.rpm Scripting library
angelscript-2.33.0-1.1.x86_64.rpm Scripting library
angelscript-devel-2.33.0-1.1.i586.rpm Development files for AngelScript
angelscript-devel-2.33.0-1.1.x86_64.rpm Development files for AngelScript
anjuta-3.28.0-3.7.i586.rpm Versatile Integrated Development Environment for GNOME
anjuta-3.28.0-3.7.x86_64.rpm Versatile Integrated Development Environment for GNOME
anjuta-devel-3.28.0-3.7.i586.rpm Development files for Anjuta plugins
anjuta-devel-3.28.0-3.7.x86_64.rpm Development files for Anjuta plugins
anjuta-extras-3.26.0-3.5.i586.rpm Extra plugins for anjuta
anjuta-extras-3.26.0-3.5.x86_64.rpm Extra plugins for anjuta
anjuta-extras-lang-3.26.0-3.5.noarch.rpm Translations for package anjuta-extras
anjuta-lang-3.28.0-3.7.noarch.rpm Translations for package anjuta
anki-2.1.11-2.3.noarch.rpm Spaced-Repetition Memory Training Program
ansible-2.7.10-1.1.noarch.rpm Software automation engine
ansifilter-2.14-1.1.i586.rpm ANSI Terminal Escape Code Converter