list-mft is a tool for timelining metadata of files and directories defined by a NTFS MFT. The tool is robust, performant, and uses a constant amount of memory. The tool supports timestamps found within STANDARD_INFORMATION attributes, FILENAME attributes, and resident directory index entries. list-mft also attempts to recover inactive MFT entries and resolve orphan files.
list-mft is a component of the INDXParse suite of tools used for NTFS analysis. All INDXParse tools are free and open source. The source for list-mft is hosted on Github here.
Tons of timestamps Timeline analysis is a proven technique in computer forensics, and list-mft consolidates many of the timestamps you need when investigating an NTFS volume. It supports all eight file timestamps, and also attempts to recover deleted directory index entries from slack spaces. This gives you a comprehensive view of file system activity.
Performantlist-mft has been used to process hundreds of MFT files and is tuned for forensic investigations. It aggressively caches commonly used data while limiting total memory usage to a constant factor. This means you can fire-and-forget the tool against a multi-gigabyte MFT without worrying about grinding your system to a halt.
Standard output formats By default, list-mft produces Bodyfile formatted output that integrates well with existing tools.
Free All INDXParse tools are free and open source. Forensic practitioners drive the development by contributing ideas, bug reports, and patches. Since the source is in the open and covered by a liberal licnse, you’ll never have to worry about the tools disappearing.
Command line driven, text interfacelist-mft is a tool that executes from the command line using a Python 2 interpreter. Since it produces text output, you’ll find it easy to script and integrate with your workflow.
list-mft is part of the INDXParse suite of tools that are distributed together. To acquire INDXParse, download the latest ZIP archive from here or use git to clone the source repository:
list-mft is a Python script that should be run from the command line. It accepts one required command line parameter that is the path to a raw MFT file previously acquired. Due to access restrictions imposed by Microsoft Windows, you cannot run this tool against the MFT of a live system.
You can also provide an optional cache_size parameter to tune the performance of the tool. Providing a larger value initializes a larger cache that improves performance at the expense of memory usage. The default value is 1024, which consumes about 148MB on my development system.
Finally, you can provide an option prefix parameter to set the volume name for the MFT. The tool is not able to automatically determine if the provided MFT was for the C:\ or D:\ or E:\ volumes, so by default it uses the prefix “\.”. The prefix parameter lets you customize this volume name.
Here’s an example of a user listing an MFT using the default settings:
Here’s an example of a user listing an MFT using a larger cache and volume prefix “C:":
Here’s an excerpt of a listing of the tool executed against an MFT file:
And here’s the resulting timeline when passed through mactime: