This is a parser for the MFT (master file table) format.
MSRV is latest stable rust.
Python bindings are available as well at https://github.com/omerbenamram/pymft-rs (and at PyPi https://pypi.org/project/mft/)
- Implemented using 100% safe rust - and works on all platforms supported by rust (that have stdlib).
- Supports JSON and CSV outputs.
- Supports extracting resident data streams.
- Download latest executable release from https://github.com/omerbenamram/mft/releases
- Releases are automatically built for for Windows, macOS, and Linux. (64-bit executables only)
- Build from sources using
cargo install mft
The main binary utility provided with this crate is mft_dump, and it provides a quick way to convert mft snapshots to different output formats.
Some examples
mft_dump <input_file>will dump contents of mft entries as JSON.mft_dump -o csv <input_file>will dump contents of mft entries as CSV.mft_dump --extract-resident-streams <output_directory> -o json <input_file>will extract all resident streams in MFT to files in <output_directory>.
use mft::MftParser;
use mft::attribute::MftAttributeContent;
use std::path::PathBuf;
fn main() {
// Change this to a path of your MFT sample.
let fp = PathBuf::from(format!("{}/samples/MFT", std::env::var("CARGO_MANIFEST_DIR").unwrap()));
let mut parser = MftParser::from_path(fp).unwrap();
for entry in parser.iter_entries() {
match entry {
Ok(e) => {
for attribute in e.iter_attributes().filter_map(|attr| attr.ok()) {
match attribute.data {
MftAttributeContent::AttrX10(standard_info) => {
println!("\tX10 attribute: {:#?}", standard_info)
},
MftAttributeContent::AttrX30(filename_attribute) => {
println!("\tX30 attribute: {:#?}", filename_attribute)
},
_ => {
println!("\tSome other attribute: {:#?}", attribute)
}
}
}
}
Err(err) => eprintln!("{}", err),
}
}
}The repo ships with a small sample MFT (samples/MFT, ~13MB) which makes a good fixed workload.
cargo build --release --bin mft_dump
# End-to-end CLI throughput (write output to /dev/null to avoid terminal overhead).
hyperfine --warmup 3 --runs 20 \
'./target/release/mft_dump samples/MFT -o jsonl -f /dev/null --no-confirm-overwrite' \
'./target/release/mft_dump samples/MFT -o csv -f /dev/null --no-confirm-overwrite'cargo build --release --bin mft_dump
mkdir -p target/samply
# End-to-end (parsing + serialization) profile.
samply record --save-only --unstable-presymbolicate \
-o target/samply/mft_dump_jsonl.profile.json.gz \
--iteration-count 200 -- \
./target/release/mft_dump samples/MFT -o jsonl -f /dev/null --no-confirm-overwrite
# Parser-only profile (no serialization/output), long single-process run.
# View in the Firefox Profiler UI.
samply load target/samply/mft_dump_jsonl.profile.json.gzIn the Firefox Profiler UI:
- Use the Call Tree tab with Invert call stack to identify top leaf frames.
- Keep Invert call stack off to see inclusive hot functions (top-down).
- Use Filter stack to focus on crate frames (for example,
mft::ormft_dump::).