Skip to content

feat/added_ignore_dos_flag_to_mft_plugin #1474

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
B0TAxy wants to merge 2 commits into
base: main
Choose a base branch
from
Open

feat/added_ignore_dos_flag_to_mft_plugin #1474

B0TAxy wants to merge 2 commits into from

Conversation

@B0TAxy
Copy link
Contributor

@B0TAxy B0TAxy commented Dec 24, 2025

This change adds a new --ignore-dos flag to the MFT plugin. This allows users to filter out short DOS 8.3 filenames from the output, focusing only on long filenames. The update adds the argument to the CLI, updates the records method signature to handle the new boolean flag, and ensures the path resolution logic respects this setting when generating file paths.

Schamper
Schamper requested changes Jan 7, 2026
View reviewed changes
Copy link
Member

@Schamper Schamper left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would you mind adding a small unit test? I believe we have a small MFT in the test data, I hope it has DOS names.

@B0TAxy
Copy link
Contributor Author

B0TAxy commented Jan 9, 2026

Would you mind adding a small unit test? I believe we have a small MFT in the test data, I hope it has DOS names.

I’ve checked the MFT files in our test data, but unfortunately, they don't appear to contain any DOS names. Do you happen to have a different MFT sample with DOS names that I could use for this test?

@Schamper
Copy link
Member

Schamper commented Jan 9, 2026

Unfortunately not, but it looks like you can use fsutil setshortname: http://technet.microsoft.com/en-us/library/bb490642.aspx

Perhaps you could make a small test disk and use that.

@B0TAxy
Copy link
Contributor Author

B0TAxy commented Jan 18, 2026

Unfortunately not, but it looks like you can use fsutil setshortname: http://technet.microsoft.com/en-us/library/bb490642.aspx

Perhaps you could make a small test disk and use that.

I ended up scripting a synthetic MFT record to create the test case manually. I also tested this against a vmdk image and can see the DOS names persisting there as well, which confirms a gap in the current detection logic.

Do you want to look into this, or would you prefer I dig deeper and propose a fix myself?

@Schamper
Copy link
Member

Schamper commented Jan 19, 2026

Do you want to look into this, or would you prefer I dig deeper and propose a fix myself?

Look into what exactly? It's not entirely clear to me what you're referring to.

@B0TAxy
Copy link
Contributor Author

B0TAxy commented Jan 19, 2026

Do you want to look into this, or would you prefer I dig deeper and propose a fix myself?

Look into what exactly? It's not entirely clear to me what you're referring to.

There is a bug in the detection logic for DOS names and it isn't working properly. We need to investigate dissect.ntfs more deeply to find exactly where the breakdown is.
How would you like to proceed with this PR given the situation? Should I keep it open while I dig into the fix, or would you prefer I open a separate issue and we handle it there?

@Schamper
Copy link
Member

Schamper commented Jan 19, 2026

It's fine to keep this open. When you have more information available you can open a issue or PR on dissect.ntfs.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Schamper Schamper Schamper requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@B0TAxy @Schamper