Parsing extracted $MFT file

[E Herreid]

Hello All,

In the perl-based log2timeline there was a (-f mft) module that would parse an extracted $MFT file and produce the 17-column l2t output. When I try to process the file in 1.0.2_alpha (SIFT-stable), it only processes the metadata of the $MFT file, not its contents.  I get the same results in 1.1.0-rc2_20140530 (SIFT-dev).

Is there an equivalent in Plaso?  This would be extremely helpful in IR situations where we collect specific artifacts and not the entire drive.  Any assistance would be greatly appreciated.

Thanks in advance!

Erik

# log2timeline.py output.dump \$MFT

[INFO] (MainProcess) Starting storage thread.

[INFO] (MainProcess) Starting to collect files for processing.

[INFO] (MainProcess) Starting to extract events.

[INFO] (MainProcess) Collection is hereby DONE

[INFO] (MainProcess) Waiting until all processing is done.

[INFO] (Worker_0  ) Worker 0 (PID: 1597) started monitoring process queue.

[INFO] (Worker_0  ) Worker 0 (PID: 1597) stopped monitoring process queue.

[INFO] (MainProcess) Processing done, waiting for storage.

[INFO] (StorageThread) [Storage] Closing the storage, nr. of events processed: 3

[INFO] (MainProcess) Storage process is done.

[INFO] (MainProcess) Run completed.

[Joachim Metz]

There is no equivalent yet. I have some experimental code but it is horribly slow.

This is something we have on the roadmap, but not yet implemented.
In some case we've been using Analyze MFT and importing its output in plaso for the time being.

--
You received this message because you are subscribed to the Google Groups "log2timeline-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to log2timeline-dis...@googlegroups.com.
To post to this group, send email to log2timeli...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[E Herreid]

Hi Joachim,

Thanks for the quick response.  I know I must be missing something fairly simple, but how would I import the output of analyzeMFT into plaso?

Thanks,

Erik.

[Joachim Metz]

plaso supports parsing CSV files, so you take the resulting CSV file and run plaso over it.

if you point plaso (log2timeline.py) to an existing database (or plaso store) it will append the information.

[Jasmine Chua]

Hi,
I tried to append the output of analyzeMFT to plaso but I dont think i am doing it correctly. Appreciate if someone can correct me. I ran these commands:

1. analyzeMFT.py -f xp.mft -c mftout
2. log2timeline.py xp.dump mftout

Thanks in advance!

[David Nides]

So I just quickly looked at the analyzeMFT output and it appears that it uses a "|" as the text delimiter. I am guessing plaso expects it to be comma delimited. 

Do you get an error?

Thanks!!

[David Kovar]

Greetings,

analyzeMFT uses commas, last I checked. It can also produce bodyfiles, which are probably more appropriate for plaso. And there are various bodyfile options. 

analyzeMFT -h

for more information.

-David

[David Kovar]

Someone named David Nides once helped me make sure the output was plaso friendly, I think.

On Aug 11, 2014, at 9:27, David Nides <david...@gmail.com> wrote:

[Jasmine Chua]

Thanks all for your reply!

David,

AnalyzeMFT does use "|" as the text delimiter. I have attached a screenshot of plaso output. Looks like there are no errors. As advised, i tried the -b option: write mac info to bodyfile for analyzeMFT but its the same result.
I also tried using mft2csv GUI tool which has the option to output to log2timeline and i was able to set comma as the delimiter. All produced the same result...

[David Nides]

I looked at the manual again. Not sure, perhaps I am using the incorrect syntax then? Tried the following 2 commands:

c:\analyzeMFT-master>analyzeMFT.py -bodyfull -f $MFT -b test11.csv

c:\analyzeMFT-master>analyzeMFT.py -bodyfull -f $MFT -b test11.csv

The output looks like this:

2014-03-27|19:03:09.541388|TZ|...B|FILE|NTFS $MFT|$FN [...B] time|user|host|/$MFT|desc|version|/$MFT|1||format|extra

2014-03-27|19:03:09.541388|TZ|...B|FILE|NTFS $MFT|$FN [...B] time|user|host|/$MFTMirr|desc|version|/$MFTMirr|1||format|extra

2014-03-27|19:03:09.541388|TZ|...B|FILE|NTFS $MFT|$FN [...B] time|user|host|/$LogFile|desc|version|/$LogFile|2||format|extra

2014-03-27|19:03:09.541388|TZ|...B|FILE|NTFS $MFT|$FN [...B] time|user|host|/$Volume|desc|version|/$Volume|3||format|extra

[Jasmine Chua]

It does not help even after replacing the delimiter from  "|" to "," for analyzeMFT output....

[Joachim Metz]

Try running:

analyzeMFT.py --bodyfull -f $MFT -e -c output.csv

[Joachim Metz]

Apparantly not

[Jasmine Chua]

Hi there. Thanks for helping. Interestingly there is no -e option in the analyzeMFT version that i am using.

[Joachim Metz]

So the | separator is fine

plaso should use the mactime parser for the output.csv

now to check why it does not parse it

[Joachim Metz]

Should be this:

analyzeMFT.py -b output.mactime -f MFT

[David Nides]

ah, that makes perfect sense, needs to be in mactime not l2tcsv format. 

fyi as an alternative, 4n6time does have a importer for l2t csv files. File > Create DB and select your l2t CSV file. I just tested it with the output from tzworks ntfswalk.exe tool quickly since I already had a file handy and it worked. For reference this is the cmdline arguement to create the correct format.

ntfswalk64.exe -csvl2t -dateformat mm/dd/yyyy -timeformat hh:mm:ss -mftfile $MFT >> mft_l2t.csv

[David Kovar]

Greetings,

I wrote analyzeMFT. I am looking at the output from:

analyzeMFT.py -f MFT -o MFT.txt

The fields are comma separated. It does not use '|' as a delimiter.

I did the same with -c rather than -o and you do get '|'. This is per the format specified by TSK. If you would like an option to do bodyfiles with commas rather than pipes, please let me know.

-David

<DSC_0466.JPG>

[David Kovar]

Jasmine,

The latest version is always available from GitHub. -e prints the time stamps in Excel friendly format.

-David

<DSC_0467.JPG>

[Joachim Metz]

David K.

If you use -b instead of -o with the latest version from github the file should be parse-able by plaso

The pipes are exactly what the plaso mactime parser wants.

So no need to change anything on your side.

To be verbose:

analyzeMFT.py -b output.mactime -f MFT

works for me.

[David Nides]

I tried it again with the exact command you used and confirmed that is correct. That makes sense because I do recall working with you to tweak this before. Thanks, David (the author of analyzeMFT.py) ;-)

 

[Jasmine Chua]

Thanks everyone for your prompt responses! It works now. Much appreciated especially receiving personal advice from the author of the tool! :)

[Joachim Metz]

The info now can be found here as well:

https://sites.google.com/a/kiddaland.net/plaso/usage/tips-and-tricks

If you think more tips and trick need to be added, speak up.

[E Herreid]

Hi All,

I've run into a bit of a snag with this process.  I'm using analyzeMFT v2.0.11 and log2timeline (plaso) 1.1.0.  Each time I run l2t against the body file, I get the following error:

2014-08-13 09:59:07,798 [ERROR] (MainProcess) PID:14772 <frontend> An uncaught exception occured: 3 has type <type 'int'>, but expected one of: (<type 'str'>, <type 'unicode'>).

Here are the commands, exactly as I typed them:

analyzeMFT -b mft.body -f \$MFT

log2timeline.py timeline.dump mft.body

It seems as if the error occurs when trying to write to the dump file.  I've attached the logfile with debugging enabled if that will help.

Thanks!

Erik.

[Joachim Metz]

Erik FYI this is being tracked in issue 86

[Elizabeth Schweinsberg]

word on the street is that the name issue has been fixed and merged into the main branch.

https://github.com/dkovar/analyzeMFT

W00t!

Elizabeth