From 3a627529d4f62812b68ac4054d2565b56836c689 Mon Sep 17 00:00:00 2001 From: Benjamin Cance Date: Thu, 5 Sep 2024 10:31:35 -0400 Subject: [PATCH 1/3] Update version --- src/analyzeMFT/constants.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/analyzeMFT/constants.py b/src/analyzeMFT/constants.py index dddbefa..46fdfd6 100644 --- a/src/analyzeMFT/constants.py +++ b/src/analyzeMFT/constants.py @@ -1,4 +1,4 @@ -VERSION = '3.0.6.3' +VERSION = '3.0.6.6' # File Record Flags FILE_RECORD_IN_USE = 0x0001 From f406326deed869279200b31309bc5dc6e0e9cc2b Mon Sep 17 00:00:00 2001 From: Benjamin Cance Date: Thu, 5 Sep 2024 10:38:10 -0400 Subject: [PATCH 2/3] Readme updates --- README.md | 26 +++++++++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 33396ad..d9d504f 100644 --- a/README.md +++ b/README.md @@ -59,9 +59,33 @@ Options: Error: No input file specified. Use -f or --file to specify an MFT file. ``` +## Output + +``` +Starting MFT analysis... +Processing MFT file: D:\ISOs\MFT_Images\MFT +Processed 10000 records... +Processed 20000 records... +Processed 30000 records... + + .......[CUT]......... + +Processed 310000 records... +MFT processing complete. Total records processed: 314880 +Writing output in csv format to X:\extracted.csv +Analysis complete. + +MFT Analysis Statistics: +Total records processed: 314880 +Active records: 171927 +Directories: 99512 +Files: 215368 +Analysis complete. Results written to X:\extracted.csv +``` + ## Versioning -Current version: 3.0.6 +Current version: 3.0.6.6 ## Author From d1af780060f64d42c9cd233d1daab2d23ba283b3 Mon Sep 17 00:00:00 2001 From: Benjamin Cance Date: Thu, 5 Sep 2024 10:49:51 -0400 Subject: [PATCH 3/3] Update contributing --- CONTRIBUTING.MD | 117 ++++++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 108 insertions(+), 9 deletions(-) diff --git a/CONTRIBUTING.MD b/CONTRIBUTING.MD index 1ea3298..2680d2e 100644 --- a/CONTRIBUTING.MD +++ b/CONTRIBUTING.MD @@ -1,8 +1,6 @@ # Contributing to AnalyzeMFT -We welcome all contributions to AnalyzeMFT and appreciate your effort in helping improve this project! - -Please take a moment to read through the following guidelines before opening an issue, pull request (PR), or making any contributions. +We welcome all contributions to AnalyzeMFT and appreciate your effort in helping improve this project! Please take a moment to read through the following guidelines before opening an issue, pull request (PR), or making any contributions. ## Code of Conduct @@ -13,31 +11,132 @@ Please take a moment to read through the following guidelines before opening an To maintain a clean and manageable project history: - Each commit should represent **ONE** discrete change. Avoid bundling multiple changes into a single commit. - PRs will be **squashed** if necessary, but we strongly prefer a clear change-by-change commit history. This is essential for effective debugging and maintaining code quality. - + ## How to Contribute ### Reporting Bugs + - **Create an issue** for any bug you encounter. Make sure to describe the issue clearly and include any necessary information (e.g., error messages, logs, steps to reproduce). - Feel free to contribute a fix after reporting! ### Proposing New Features -- **Open an issue** to discuss your proposed feature before opening a PR. It’s important to make sure it aligns with the project goals. + +- **Open an issue** to discuss your proposed feature before opening a PR. It's important to make sure it aligns with the project goals. ### Making Changes + 1. **Fork the repository** and create your branch from `main`. 2. **Make your changes**, ensuring that they address one issue at a time. 3. **Test your changes** thoroughly. 4. **Submit a pull request**, referencing the related issue if applicable. ### Commit Messages + - Use concise and descriptive commit messages that explain the context of your change. - Reference the issue number (if applicable) in your commit message. +Example: +``` + Fix parsing of reparse point attribute (#123) + + Add error handling for incomplete reparse point data + Update documentation for reparse point parsing +``` + ## Code Style -- Ensure your code follows the coding style used in the project. -- Code quality is a priority, so be sure to run any existing linting or formatting checks before submitting your PR. +We follow a specific code style to maintain consistency throughout the project. Please adhere to the following guidelines: + +### Python Code Style + +1. Use 4 spaces for indentation (no tabs). +2. Follow PEP 8 guidelines for naming conventions and code layout. +3. Use type hints for function parameters and return values. +4. Keep lines to a maximum of 100 characters. +5. Use descriptive variable names. + +Example: + +``` +from typing import List, Dict + +def parse_mft_record(raw_record: bytes) -> Dict[str, Any]: + record = {} + return record + + +class MftAnalyzer: + def __init__(self, mft_file: str, output_file: str): + self.mft_file = mft_file + self.output_file = output_file + + async def analyze(self) -> None: + pass +``` + +### Comments + +- Though not implemented yet, future updates will include docstrings for modules, classes, and functions. +- Keep inline comments to a minimum unless necessary for complex logic or non-obvious code. +- Keep comments up-to-date with code changes. + +Example - Future comment style: + +``` +def parse_attribute(offset: int, raw_data: bytes) -> Dict[str, Any]: + """ + Parse an MFT attribute at the given offset. + + Args: + offset (int): The starting offset of the attribute. + raw_data (bytes): The raw MFT record data. + + Returns: + Dict[str, Any]: A dictionary containing the parsed attribute information. + """ +``` + +### SQL - work in progress + +We're working on bringing an SQL engine into this program because (IMO) it's the better way to sort and analyze massive datasets. With that in mind, I'd like to lay out a few SQL specific items: + +SQL keywords need to be uppercase. +SQL data columns should be lowercase and use `_` to separate words. + +``` +CREATE TABLE mft_record ( + id INTEGER PRIMARY KEY, + record_number INTEGER NOT NULL, + parent_record_number INTEGER +) +``` + +### Pull Requests + +After undering the joy of learning why branches have locks and the issues with trusting people to test fully, we're going to revamp the PR process. + +1. Instituted branch safety on the main branch +2. Built out a test suite (if anyone knows how to make this work on GH, lmk) + +PRs will now be required to fit this format: + +``` +## Description +This PR adds support for parsing reparse point attributes in MFT records. It includes: +- New function `parse_reparse_point` in `mft_record.py` +- Updated `MftRecord` class to handle reparse point attributes +- New tests for reparse point parsing in `test_mft_record.py` +- Updated documentation in README.md + +Fixes #123 + +## Checklist +- [x] Code follows the project's style guidelines +- [x] Tests have been added/updated +- [x] Documentation has been updated +- [x] All tests pass locally +``` -## Thank You +# Thank You +#### Your contribution is greatly appreciated, and we look forward to reviewing your work! -Your contribution is greatly appreciated, and we look forward to reviewing your work!