I try to read MFT table from my local disk from python. Of course, if I write something like this:
input_file = open('C:\$MFT', "rb")
I will get
[ Errno 13] Permission denied: 'C:\$MFT'
I tried to use pyMFTGrabber, but it doesn't work; I got a lot of "socket.errors".
What the best and easy way to read this file, using Python?
Maybe it is some WinAPI, or something else?
After reading I want to analyze it with "analyzeMFT"
It's rather painful with python, since it's not exactly low-level.
I think you should start with this though:
L"\\\\?\\C:\\$MFT"
is the namespace you need to use in MS's VC++ API in order to create a handle to the MFT.You should consider looking through the source code of the grabber you mentioned pyMFTGrabber and scroll down to the bottom and it shows you how the author accessed the file (it looks accurate - reads sectors instead of trying to directly access
$MFT
, and it looks pretty well commented too). If you read the details of the project, it says that it is a 'Script to retrieve the Master File Table (MFT) record for an NTFS file system from a live system.'