15 releases
Uses new Rust 2024
| 0.7.0 | Dec 23, 2025 |
|---|---|
| 0.6.1 | Feb 18, 2023 |
| 0.6.0 | Jan 6, 2022 |
| 0.5.3 | Apr 14, 2020 |
| 0.4.4 | Jun 19, 2019 |
#238 in Parser implementations
Used in 3 crates
1.5MB
2.5K
SLoC
MFT
This is a parser for the MFT (master file table) format.
MSRV is latest stable rust.
Python bindings are available as well at https://github.com/omerbenamram/pymft-rs (and at PyPi https://pypi.org/project/mft/)
Features
- Implemented using 100% safe rust - and works on all platforms supported by rust (that have stdlib).
- Supports JSON and CSV outputs.
- Supports extracting resident data streams.
Installation (associated binary utility):
- Download latest executable release from https://github.com/omerbenamram/mft/releases
- Releases are automatically built for for Windows, macOS, and Linux. (64-bit executables only)
- Build from sources using
cargo install mft
mft_dump (Binary utility):
The main binary utility provided with this crate is mft_dump, and it provides a quick way to convert mft snapshots to different output formats.
Some examples
mft_dump <input_file>will dump contents of mft entries as JSON.mft_dump -o csv <input_file>will dump contents of mft entries as CSV.mft_dump --extract-resident-streams <output_directory> -o json <input_file>will extract all resident streams in MFT to files in <output_directory>.
Library usage:
use mft::MftParser;
use mft::attribute::MftAttributeContent;
use std::path::PathBuf;
fn main() {
// Change this to a path of your MFT sample.
let fp = PathBuf::from(format!("{}/samples/MFT", std::env::var("CARGO_MANIFEST_DIR").unwrap()));
let mut parser = MftParser::from_path(fp).unwrap();
for entry in parser.iter_entries() {
match entry {
Ok(e) => {
for attribute in e.iter_attributes().filter_map(|attr| attr.ok()) {
match attribute.data {
MftAttributeContent::AttrX10(standard_info) => {
println!("\tX10 attribute: {:#?}", standard_info)
},
MftAttributeContent::AttrX30(filename_attribute) => {
println!("\tX30 attribute: {:#?}", filename_attribute)
},
_ => {
println!("\tSome other attribute: {:#?}", attribute)
}
}
}
}
Err(err) => eprintln!("{}", err),
}
}
}
Performance profiling (samply)
The repo ships with a small sample MFT (samples/MFT, ~13MB) which makes a good fixed workload.
Baseline timings (hyperfine)
cargo build --release --bin mft_dump
# End-to-end CLI throughput (write output to /dev/null to avoid terminal overhead).
hyperfine --warmup 3 --runs 20 \
'./target/release/mft_dump samples/MFT -o jsonl -f /dev/null --no-confirm-overwrite' \
'./target/release/mft_dump samples/MFT -o csv -f /dev/null --no-confirm-overwrite'
CPU profiling (samply)
cargo build --release --bin mft_dump
mkdir -p target/samply
# End-to-end (parsing + serialization) profile.
samply record --save-only --unstable-presymbolicate \
-o target/samply/mft_dump_jsonl.profile.json.gz \
--iteration-count 200 -- \
./target/release/mft_dump samples/MFT -o jsonl -f /dev/null --no-confirm-overwrite
# Parser-only profile (no serialization/output), long single-process run.
# View in the Firefox Profiler UI.
samply load target/samply/mft_dump_jsonl.profile.json.gz
In the Firefox Profiler UI:
- Use the Call Tree tab with Invert call stack to identify top leaf frames.
- Keep Invert call stack off to see inclusive hot functions (top-down).
- Use Filter stack to focus on crate frames (for example,
mft::ormft_dump::).
Thanks/Resources:
- https://docs.microsoft.com/en-us/windows/desktop/DevNotes/master-file-table
- https://github.com/libyal/libfsntfs/blob/master/documentation/New%20Technologies%20File%20System%20(NTFS).asciidoc
- https://github.com/forensicmatt/RustyMft
Dependencies
~10–15MB
~229K SLoC