Parse MFT records based on segment numbers

[Zawadidone]

I would like to select which MFT records the MFT plugin outputs based on segment numbers. For example, target-query TARGET -f mft --fs 1 --segments 0-9 executes the MFT plugin to output the first ten MFT records of the first NTFS filesystem of a target.

We use Dissect Target as part of an automated processing pipeline that has 15 CPU's available to execute plugins on a target using xargs. Of all the plugins the MFT plugin takes the longest of all plugins, this varies from a few minutes to a few hours. Because of that we would like to speed up the processing of MFT records.

I don't know if this should be part of Dissect Target or that we will just use a custom MFT plugin with some BASH commands.

[Schamper]

This will also require a small change in dissect.ntfs: https://github.com/fox-it/dissect.ntfs/blob/d6c039c6b4959a5d1ea5b012673813d2ce91693a/dissect/ntfs/mft.py#L123-L134

Overall should be a pretty easy and good addition!

[Zawadidone]

@Schamper is the order in which filesystems are loaded into a target always the same?

[Schamper]

That should be deterministic, yes.

[Zawadidone]

@Schamper what would be the most wise way to do this by modifying the MFT plugin or by creating a new custom MFT plugin, outside of Dissect Target.

1. Open the target and list the NTFS filesystems and the amount of segments these have, e.g. {0: 100, 1:50}.
2. Execute the mft function with the arguments, e.g. --fs 0 --start 0 --end 50 - Yield MFT segments in specified range #672.
3. Repeat these steps for the childrens of the target.

[Zawadidone]

Nevermind forget about the last step, it should only support a single target just like the ICat plugin.