Update the CSV header, and the CSV writer function for organization, and better formatting choices.

Author: Benjamin Cance

src/analyzeMFT/constants.py

@@ -270,17 +270,70 @@
 # MFT Record magic number
 MFT_RECORD_MAGIC = b'FILE'
 
-# CSV Header
 CSV_HEADER = [
-    'Record Number', 'Good', 'Active', 'Record type', 'Sequence Number',
-    'Parent File Rec. #', 'Parent File Rec. Seq. #', 'Filename',
-    'Std Info Creation Time', 'Std Info Modification Time',
-    'Std Info Access Time', 'Std Info Entry Time',
-    'FN Info Creation Time', 'FN Info Modification Time',
-    'FN Info Access Time', 'FN Info Entry Time',
-    'Object ID', 'Birth Volume ID', 'Birth Object ID', 'Birth Domain ID',
-    'Standard Information', 'Attribute List', 'File Name',
-    'Volume Name', 'Volume Info', 'Data', 'Index Root',
-    'Index Allocation', 'Bitmap', 'Reparse Point', 'EA Information', 'EA',
-    'Logged Utility Stream', 'Filepath'
+    # Basic Record Information
+    'Record Number', 
+    'Record Status',  # Instead of 'Good'/'Bad'
+    'Record Type',    # Instead of 'Active'/'Inactive'
+    'File Type',      # Instead of 'Record type'
+    'Sequence Number',
+    'Parent Record Number',
+    'Parent Record Sequence Number',
+    
+    # File Information
+    'Filename',
+    'Filepath',
+    
+    # Standard Information Times
+    'SI Creation Time',
+    'SI Modification Time',
+    'SI Access Time',
+    'SI Entry Time',
+    
+    # File Name Attribute Times
+    'FN Creation Time',
+    'FN Modification Time',
+    'FN Access Time',
+    'FN Entry Time',
+    
+    # Object ID Information
+    'Object ID',
+    'Birth Volume ID',
+    'Birth Object ID',
+    'Birth Domain ID',
+    
+    # Attribute Presence Flags
+    'Has Standard Information',
+    'Has Attribute List',
+    'Has File Name',
+    'Has Volume Name',
+    'Has Volume Information',
+    'Has Data',
+    'Has Index Root',
+    'Has Index Allocation',
+    'Has Bitmap',
+    'Has Reparse Point',
+    'Has EA Information',
+    'Has EA',
+    'Has Logged Utility Stream',
+    
+    # Detailed Attribute Information
+    'Attribute List Details',
+    'Security Descriptor',
+    'Volume Name',
+    'Volume Information',
+    'Data Attribute',
+    'Index Root',
+    'Index Allocation',
+    'Bitmap',
+    'Reparse Point',
+    'EA Information',
+    'EA',
+    'Logged Utility Stream',
+    
+    # Hash Information (if computed)
+    'MD5',
+    'SHA256',
+    'SHA512',
+    'CRC32'
 ]

src/analyzeMFT/mft_record.py

@@ -386,39 +386,45 @@ def parse_logged_utility_stream(self, offset):
     def to_csv(self):
         row = [
             self.recordnum,
-            "Good" if self.magic == int.from_bytes(MFT_RECORD_MAGIC, BYTE_ORDER) else "Bad",
-            "Active" if self.flags & FILE_RECORD_IN_USE else "Inactive",
+            "Valid" if self.magic == int.from_bytes(MFT_RECORD_MAGIC, BYTE_ORDER) else "Invalid",
+            "In Use" if self.flags & FILE_RECORD_IN_USE else "Not in Use",
             self.get_file_type(),
             self.seq,
-            self.parent_ref,
-            self.base_ref >> 48,  # Parent File Rec. Seq. #
+            self.get_parent_record_num(),
+            self.base_ref >> 48,
+            
             self.filename,
+            "",  # Filepath (to be filled later)
+            
             self.si_times['crtime'].dtstr,
             self.si_times['mtime'].dtstr,
             self.si_times['atime'].dtstr,
             self.si_times['ctime'].dtstr,
+            
             self.fn_times['crtime'].dtstr,
             self.fn_times['mtime'].dtstr,
             self.fn_times['atime'].dtstr,
             self.fn_times['ctime'].dtstr,
+            
             self.object_id,
             self.birth_volume_id,
             self.birth_object_id,
             self.birth_domain_id,
-            "True" if STANDARD_INFORMATION_ATTRIBUTE in self.attribute_types else "False",
-            "True" if ATTRIBUTE_LIST_ATTRIBUTE in self.attribute_types else "False",
-            "True" if FILE_NAME_ATTRIBUTE in self.attribute_types else "False",
-            "True" if VOLUME_NAME_ATTRIBUTE in self.attribute_types else "False",
-            "True" if VOLUME_INFORMATION_ATTRIBUTE in self.attribute_types else "False",
-            "True" if DATA_ATTRIBUTE in self.attribute_types else "False",
-            "True" if INDEX_ROOT_ATTRIBUTE in self.attribute_types else "False",
-            "True" if INDEX_ALLOCATION_ATTRIBUTE in self.attribute_types else "False",
-            "True" if BITMAP_ATTRIBUTE in self.attribute_types else "False",
-            "True" if REPARSE_POINT_ATTRIBUTE in self.attribute_types else "False",
-            "True" if EA_INFORMATION_ATTRIBUTE in self.attribute_types else "False",
-            "True" if EA_ATTRIBUTE in self.attribute_types else "False",
-            "True" if LOGGED_UTILITY_STREAM_ATTRIBUTE in self.attribute_types else "False",
-            "",  # Filepath
+            
+            str(STANDARD_INFORMATION_ATTRIBUTE in self.attribute_types),
+            str(ATTRIBUTE_LIST_ATTRIBUTE in self.attribute_types),
+            str(FILE_NAME_ATTRIBUTE in self.attribute_types),
+            str(VOLUME_NAME_ATTRIBUTE in self.attribute_types),
+            str(VOLUME_INFORMATION_ATTRIBUTE in self.attribute_types),
+            str(DATA_ATTRIBUTE in self.attribute_types),
+            str(INDEX_ROOT_ATTRIBUTE in self.attribute_types),
+            str(INDEX_ALLOCATION_ATTRIBUTE in self.attribute_types),
+            str(BITMAP_ATTRIBUTE in self.attribute_types),
+            str(REPARSE_POINT_ATTRIBUTE in self.attribute_types),
+            str(EA_INFORMATION_ATTRIBUTE in self.attribute_types),
+            str(EA_ATTRIBUTE in self.attribute_types),
+            str(LOGGED_UTILITY_STREAM_ATTRIBUTE in self.attribute_types),
+            
             str(self.attribute_list),
             str(self.security_descriptor),
             self.volume_name,
@@ -434,6 +440,8 @@ def to_csv(self):
         ]
         if self.md5 is not None:
             row.extend([self.md5, self.sha256, self.sha512, self.crc32])
+        else:
+            row.extend([""] * 4)  # Add empty strings for hash fields if not computed
         return row
 
     def compute_hashes(self):