Please add support for NTFS body files

[0CM]

Hello guys,

thanks a lot for all the work on this project,

Can I bother you with a feature request for adding support for NTFS body files ?

timeliner --color --filter 'date >= 2023-10-01 && date <= 2023-10-02' 20240803201349_MFTECmd_MFT_Output.body Could not read all the content: Error while reading file: Inode was not an integer: strconv.ParseInt: parsing "0-128-12": invalid syntax

Body file sample: 0|c:/$MFT|0-128-12|r/rrwxrwxrwx|0|0|196870144|1689087082|1689087082|1689087082|1689087082 0|c:/$MFT ($FILE_NAME)|0-48-3|r/rrwxrwxrwx|0|0|196870144|1689087082|1689087082|1689087082|1689087082 0|c:/$MFTMirr|1-128-1|r/rrwxrwxrwx|0|0|4096|1689087082|1689087082|1689087082|1689087082 0|c:/$MFTMirr ($FILE_NAME)|1-48-2|r/rrwxrwxrwx|0|0|4096|1689087082|1689087082|1689087082|1689087082

Seems like Inode filter does not take in account NTFS Inode format.

With NTFS, one can either specify just the MFT number and the default data attribute is used or the type can be specified by adding it to the end of the MFT entry, 36-128 for example. If more than one attribute of the same type exists, then the id can be used after the type, 36-128-5 for example.

TSK Metadata_address doc

Body file was created with MFTEcmd mftecmd -f ./$MFT --body $HOME/export/ --bdl c

Sample NTFS body file attached for testing. sample.body.zip

Thank you for your time and have a good day.