Trying to get MFT table from Python 3

2019-06-04 01:29发布

问题:

I try to read MFT table from my local disk from python. Of course, if I write something like this:

input_file = open('C:\$MFT', "rb")

I will get

[ Errno 13] Permission denied: 'C:\$MFT'

I tried to use pyMFTGrabber, but it doesn't work; I got a lot of "socket.errors".

What the best and easy way to read this file, using Python?
Maybe it is some WinAPI, or something else? After reading I want to analyze it with "analyzeMFT"

回答1:

It's rather painful with python, since it's not exactly low-level.

I think you should start with this though:

L"\\?\C:\$MFT" is the namespace you need to use in MS's VC++ API in order to create a handle to the MFT.

You should consider looking through the source code of the grabber you mentioned pyMFTGrabber and scroll down to the bottom and it shows you how the author accessed the file (it looks accurate - reads sectors instead of trying to directly access $MFT, and it looks pretty well commented too). If you read the details of the project, it says that it is a 'Script to retrieve the Master File Table (MFT) record for an NTFS file system from a live system.'



回答2:

In the meantime, other options emerged: There's a library to analyze the Master File Table ($MFT) from an NTFS file system called analyzeMFT.

analyzeMFT.py is designed to fully parse the MFT file from an NTFS filesystem and present the results as accurately as possible in multiple formats.

To get it use pip (current version 2.0.19) or install it from the source found on GitHub

pip install analyzeMFT