CLI reference

The command-line tool is logflip; the repository and Python package are logflip-closed. It requires Python 3.11 or newer and runs as python -m logflip.

python -m pip install -e ".[dev]"

The parser registers exactly seven subcommands.

detect runs the full pipeline on one known MFT record. It accepts either a block source, a raw image or a live volume, or a metafile source: pre-extracted $LogFile, $MFT, and optional $UsnJrnl streams. The published one-line synopsis covers image mode; metafile mode adds the stream flags.

python -m logflip detect --image disk.img \
  --mft-record 5 --output leaf.json --report report.html

The canonical run on this site uses metafile mode against the pre-extracted streams:

python -m logflip detect --logfile-file logfile.bin --mft-file mft.bin -m 24 --mft-slot 44 --usnjrnl-file usnjrnl_j.bin --report report.html

• -m / --mft-record is the logical record the reverse replay keys on; --mft-slot is its physical slot when a record was relocated.
• --db and --key-file are optional. When absent, the stub database and the synthetic demo key are used, and the verdict stays provisional at most.
• --output writes the signed leaf JSON; --report writes the HTML report. Both write only on a successful run.

The exit code is part of the contract, scriptable in a pipeline:

• 0 clean: no tampering evidence found.
• 2 finding: a provisional or confirmed verdict. An exit of 2 means a finding was surfaced, not proof of a confirmation, and with the demo key it is always provisional. Anomalies alone never set this code.
• 1 error: corrupt input, an I/O failure, or a fail-safe stop.