body file output contains extra tab at the end of each line

[0CM]

Hi Eric,

I parsed MFT table into the body file format and the output contains /t at the end of each line.
Is this intentional, and if so would it be possible to suppress it via cli switch?

MFTECmd version 1.2.2.1
Command line: -f ./$MFT --body /home/ubuntu/DATA/export/ --bdl c

cat -E sample.body | head -n 5
0|c:/$MFT|0-128-12|r/rrwxrwxrwx|0|0|196870144|1689087082|1689087082|1689087082|1689087082	^M$
0|c:/$MFT ($FILE_NAME)|0-48-3|r/rrwxrwxrwx|0|0|196870144|1689087082|1689087082|1689087082|1689087082	^M$
0|c:/$MFTMirr|1-128-1|r/rrwxrwxrwx|0|0|4096|1689087082|1689087082|1689087082|1689087082	^M$
0|c:/$MFTMirr ($FILE_NAME)|1-48-2|r/rrwxrwxrwx|0|0|4096|1689087082|1689087082|1689087082|1689087082	^M$
0|c:/$LogFile|2-128-1|r/rrwxrwxrwx|0|0|67108864|1689087082|1689087082|1689087082|1689087082	^M$

sampleMFT.body.zip

Thank you and have a good day

[EricZimmerman]

Perhaps try the of vs crlf switch or just trim the end of the line?

Why body file at all, out of curiosity

[0CM]

mftecmd --blf worked, but the outputfile name is enclosed in single quotes.
'20240805143319_MFTECmd_$MFT_Output.body'

I am using the body file to feed the records to this time filter:

https://github.com/airbus-cert/timeliner

[EricZimmerman]

You can use bodyf to supply your own. Why does single quotes matter

[0CM]

The name does not matter, every other output file name is without the quotes, so just for the consistency.

Anyway my problem is fixed by LF switch. Thank you for pointing that out to me.

And have a good rest of your day

[EricZimmerman]

i dont see anywhere in the code that a \t would be inserted.

nor do i see anywhere where single quotes would end up around the csv file name

[0CM]

I did more testing this morning and the filename in the single quotes is my shamble.
Basically new safe way linux shell "escapes" filenames, in this case it was caused by the $ in the name.

As for the tabs, I will do more testing if I can narrow it down.