EricZimmerman/MFTECmd

# MFTECmd ## 命令行界面 ``` MFTECmd version 0.5.0.1 Author: Eric Zimmerman (saericzimmerman@gmail.com) https://github.com/EricZimmerman/MFTECmd f File to process ($MFT | $J | $LogFile | $Boot | $SDS). Required json Directory to save JSON formatted results to. This or --csv required unless --de or --body is specified jsonf File name to save JSON formatted results to. When present, overrides default name csv Directory to save CSV formatted results to. This or --json required unless --de or --body is specified csvf File name to save CSV formatted results to. When present, overrides default name body Directory to save bodyfile formatted results to. --bdl is also required when using this option bodyf File name to save body formatted results to. When present, overrides default name bdl Drive letter (C, D, etc.) to use with bodyfile. Only the drive letter itself should be provided blf When true, use LF vs CRLF for newlines. Default is FALSE dd Directory to save exported FILE record. --do is also required when using this option do Offset of the FILE record to dump as decimal or hex. Ex: 5120 or 0x1400 Use --de or --vl 1 to see offsets de Dump full details for entry/sequence #. Format is 'Entry' or 'Entry-Seq' as decimal or hex. Example: 5, 624-5 or 0x270-0x5. fls When true, displays contents of directory specified by --de. Ignored when --de points to a file. ds Dump full details for Security Id as decimal or hex. Example: 624 or 0x270 dt The custom date/time format to use when displaying time stamps. Default is: yyyy-MM-dd HH:mm:ss.fffffff sn Include DOS file name types. Default is FALSE fl Generate condensed file listing. Requires --csv. Default is FALSE at When true, include all timestamps from 0x30 attribute vs only when they differ from 0x10. Default is FALSE vss Process all Volume Shadow Copies that exist on drive specified by -f . Default is FALSE dedupe Deduplicate -f & VSCs based on SHA-1. First file found wins. Default is FALSE debug Show debug information during processing trace Show trace information during processing Examples: MFTECmd.exe -f "C:\Temp\SomeMFT" --csv "c:\temp\out" --csvf MyOutputFile.csv MFTECmd.exe -f "C:\Temp\SomeMFT" --csv "c:\temp\out" MFTECmd.exe -f "C:\Temp\SomeMFT" --json "c:\temp\jsonout" MFTECmd.exe -f "C:\Temp\SomeMFT" --body "c:\temp\bout" --bdl c MFTECmd.exe -f "C:\Temp\SomeMFT" --de 5-5 Short options (single letter) are prefixed with a single dash. Long commands are prefixed with two dashes ``` ## 文档 用于 NTFS 文件系统的 MFT 解析器。 [介绍 MFTECmd！](https://binaryforay.blogspot.com/2018/06/introducing-mftecmd.html) [MFTECmd v0.2.6.0 发布](https://binaryforay.blogspot.com/2018/06/mftecmd-v0260-released.html) [MFTECmd 0.3.6.0 发布](https://binaryforay.blogspot.com/2018/12/mftecmd-0360-released.html) [已为 AmcacheParser, AppCompatCacheParser, MFTECmd, ShellBags Explorer (以及 SBECmd), 和 Registry Explorer (以及 RECmd) 添加锁定文件支持](https://binaryforay.blogspot.com/2019/01/locked-file-support-added-to.html) # 下载 Eric Zimmerman 的工具 所有 Eric Zimmerman 的工具均可在[此处](https://ericzimmerman.github.io/#!index.md)下载。 # 特别感谢 开源开发资金和支持由以下贡献者提供： - [SANS Institute](http://sans.org/) 和 [SANS DFIR](http://dfir.sans.org/)。 - [Tines](https://www.tines.com/?utm_source=oss&utm_medium=sponsorship&utm_campaign=ericzimmerman)

标签：$Boot, $J, $LogFile, $SDS, Bodyfile, Eric Zimmerman, JSON导出, MFT, MFT解析, NTFS, 二进制发布, 取证工具, 多人体追踪, 子域名变形, 库, 应急响应, 开源工具, 快速扫描, 数字取证, 数据恢复, 数据解析, 文件系统, 自动化脚本