Recommended Improvement: Add option to pull $MFT from all volumes

Question

Recommended Improvement: Add option to pull $MFT from all volumes

CyberKaizen opened this issue 3 years ago · comments

Running something like : tscopy_x64 -r -o C:\Collection\TScopy\MFT -f *:$MFT

Currently it isn't possible if the user wanted to copy a $MFT file from all volumes on the system.

Supporting some kind of option or wildcard to check the root of all volumes and copy it down would help when running TSCopy in mass and you don't know the specific drive letters on the system.

_snus · Answer 1 · Thu Jan 06 2022 05:04:39 GMT+0800 (China Standard Time)

I will look into the wildcard for the volume. But for now, I do it with a wrapper script that gets the volume and drive letters like this:

def get_local_drives():                                                            
    """Returns a list containing letters from local drives"""                      
    drive_list = win32api.GetLogicalDriveStrings()                                 
    drive_list = drive_list.split("\x00")[0:-1]  # the last element is ""          
    list_local_drives = []                                                         
    for letter in drive_list:                                                      
        if win32file.GetDriveType(letter) == win32file.DRIVE_FIXED:                
            list_local_drives.append(letter)                                       
    return list_local_drives

_snus · Answer 2 · Sat Jan 15 2022 05:52:20 GMT+0800 (China Standard Time)

code has been added to support wildcard drive letters. Only works for local or fixed drives.