← All instantiators
INST-001 · Instantiator · $MFT
NTFS $MFT Instantiator
Contributed by @ioi-framework · 2025-01-01
Note
Handles both $MFT record-level fields ($SI and $FN timestamps, entry number, parent path) and extended attributes used by IoI rules IOI-011 and IOI-012.
Dependencies
rdflib>=6.0·pandas>=1.3
Overview
Maps MFTECmd CSV output to CASE/UCO-compliant JSON-LD graphs using ioi-ext:MftFacet for filesystem-specific properties not covered by the core CASE/UCO vocabulary.
Input fields consumed
| CSV field (MFTECmd) | Mapped to | Notes |
|---|---|---|
EntryNumber |
ioi-ext:entryNumber |
Used for LNK cross-reference |
ParentPath |
ioi-ext:parentPath |
Used for VSS and IndexedDB path checks |
FileName |
observable:fileName |
|
FilePath |
observable:filePath |
|
Created0x10 |
ioi-ext:created0x10 |
$SI creation timestamp |
Created0x30 |
ioi-ext:created0x30 |
$FN creation timestamp |
LastModified0x10 |
ioi-ext:lastModified0x10 |
|
LastModified0x30 |
ioi-ext:lastModified0x30 |
Usage
python3 instantiators/mft_instantiator.py cases/data/AF-NNN/post-manipulation/mft_post.csv cases/data/AF-NNN/graphs/mft_case.jsonld
# For large MFT exports
python3 instantiators/mft_instantiator.py cases/data/AF-NNN/post-manipulation/mft_post.csv cases/data/AF-NNN/graphs/mft_case.jsonld --chunk-size 5000
For large $MFT exports use --chunk-size N (e.g. --chunk-size 5000) to split output into multiple JSON-LD files.
Output structure
Produces one observable:File node per MFT record, each with an observable:FileFacet and an ioi-ext:MftFacet. Records are serialized as a JSON-LD @graph array.