MFT is both an executable binary that can be run, and a library that can be used in Rust programs.

Installing the `mft_dump` executable

Assuming you have Rust/Cargo installed, run this command in a terminal:

cargo install mft

It will make the mft_dump command available in your PATH if you've allowed the PATH to be modified when installing Rust. cargo uninstall mft uninstalls.

Adding `mft` library as a dependency

Run this command in a terminal, in your project's directory:

cargo add mft

To add it manually, edit your project's Cargo.toml file and add to the [dependencies] section:

mft = "0.7.0"

The mft library will be automatically available globally. Read the mft library documentation.

Back to the crate overview.

Readme

MFT

This is a parser for the MFT (master file table) format.

MSRV is latest stable rust.

Documentation

Python bindings are available as well at https://github.com/omerbenamram/pymft-rs (and at PyPi https://pypi.org/project/mft/)

Features

Implemented using 100% safe rust - and works on all platforms supported by rust (that have stdlib).
Supports JSON and CSV outputs.
Supports extracting resident data streams.

Installation (associated binary utility):

Download latest executable release from https://github.com/omerbenamram/mft/releases
- Releases are automatically built for for Windows, macOS, and Linux. (64-bit executables only)
Build from sources using cargo install mft

`mft_dump` (Binary utility):

The main binary utility provided with this crate is mft_dump, and it provides a quick way to convert mft snapshots to different output formats.

Some examples

mft_dump <input_file> will dump contents of mft entries as JSON.
mft_dump -o csv <input_file> will dump contents of mft entries as CSV.
mft_dump --extract-resident-streams <output_directory> -o json <input_file> will extract all resident streams in MFT to files in <output_directory>.

Library usage:

use mft::MftParser;
use mft::attribute::MftAttributeContent;
use std::path::PathBuf;

fn main() {
    // Change this to a path of your MFT sample.
    let fp = PathBuf::from(format!("{}/samples/MFT", std::env::var("CARGO_MANIFEST_DIR").unwrap()));

    let mut parser = MftParser::from_path(fp).unwrap();
    for entry in parser.iter_entries() {
        match entry {
            Ok(e) =>  {
                for attribute in e.iter_attributes().filter_map(|attr| attr.ok()) {
                    match attribute.data {
                        MftAttributeContent::AttrX10(standard_info) => {
                            println!("\tX10 attribute: {:#?}", standard_info)
                        },
                        MftAttributeContent::AttrX30(filename_attribute) => {
                            println!("\tX30 attribute: {:#?}", filename_attribute)
                        },
                        _ => {
                            println!("\tSome other attribute: {:#?}", attribute)
                        }
                    }

                }
            }
            Err(err) => eprintln!("{}", err),
        }
    }
}

Performance profiling (samply)

The repo ships with a small sample MFT (samples/MFT, ~13MB) which makes a good fixed workload.

Baseline timings (hyperfine)

cargo build --release --bin mft_dump

# End-to-end CLI throughput (write output to /dev/null to avoid terminal overhead).
hyperfine --warmup 3 --runs 20 \
  './target/release/mft_dump samples/MFT -o jsonl -f /dev/null --no-confirm-overwrite' \
  './target/release/mft_dump samples/MFT -o csv -f /dev/null --no-confirm-overwrite'

CPU profiling (samply)

cargo build --release --bin mft_dump
mkdir -p target/samply

# End-to-end (parsing + serialization) profile.
samply record --save-only --unstable-presymbolicate \
  -o target/samply/mft_dump_jsonl.profile.json.gz \
  --iteration-count 200 -- \
  ./target/release/mft_dump samples/MFT -o jsonl -f /dev/null --no-confirm-overwrite

# Parser-only profile (no serialization/output), long single-process run.
# View in the Firefox Profiler UI.
samply load target/samply/mft_dump_jsonl.profile.json.gz

In the Firefox Profiler UI:

Use the Call Tree tab with Invert call stack to identify top leaf frames.
Keep Invert call stack off to see inclusive hot functions (top-down).
Use Filter stack to focus on crate frames (for example, mft:: or mft_dump::).

Installing the mft_dump executable

Adding mft library as a dependency

Installing the `mft_dump` executable

Adding `mft` library as a dependency