±Partners and Sponsors

±Your Account


Nickname
Password


Forgotten password/username?


Membership:
New Today: 0
New Yesterday: 3
Overall: 26796
Visitors: 56

±Follow Forensic Focus

Join our LinkedIn group

Subscribe to news

Subscribe to forums

Subscribe to blog

Subscribe to tweets

mft2csv - NTFS systemfile extracter and $MFT decoder

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page 1, 2, 3, 4, 5, 6, 7, 8, 9, 10  Next 
  

mft2csv - NTFS systemfile extracter and $MFT decoder

Post Posted: Wed Aug 10, 2011 5:40 pm

I post it here as well since it is in fact open source and free..

So I finally finished first version of my mft2csv application. I registered it at the project hosting at Google code; code.google.com/p/mft2csv/

Edit: New home is; github.com/jschicht

It is 2 applications:
- One that will carve files directly from physical disk by reading sectors as specified in $MFT. Several modes are available.
- The main application is the mft2csv tool that will decode and log large amounts of data from $MFT and to csv format. The current base of 126 variables are a very good starting point for further improvement (and maybe some are unneeded).

Check out the site, there is source, compiled exe and descriptions. The source is free and preatty much without restrictions.

I really recommend doing something like this if you want to dig into NTFS and learn more about it the interesting and exciting way. It is very likely that I will expand it with more features soon. Since it is written in the scripting language AutoIt it is Windows only. However it is very easy to work with.
_________________
Joakim Schicht

github.com/jschicht 


Last edited by joakims on Sun Feb 23, 2014 4:13 pm; edited 1 time in total

joakims
Senior Member
 
 
  

Re: mft2csv - NTFS systemfile extracter and $MFT decoder

Post Posted: Thu Aug 11, 2011 7:54 am

Great tool with an easy-to-look-at output!
I was having some problems with it recognizing a volume mounted with FTK Imager, but it could see the same image mounted in EnCase with PDE, so must be an issue with Imager.
I also was able to carve MFT records and rename the output $MFT.bin and the MFT2CSV utility parsed it out well.
As a suggestion for leaning the $MFT layout, it might be good to put the attribute byte offset in each column header.
Thanks, Joakim!

PS - Darren Freestone's booklet at lockandcode.com is also a great resource for parsing the $MFT manually.  

htcicolonial
Newbie
 
 
  

Re: mft2csv - NTFS systemfile extracter and $MFT decoder

Post Posted: Thu Aug 11, 2011 3:13 pm

Thanks for the feedback. Suggestions noted.

New version of both apps are just uploaded.

In mft2csv I've fixed the issue with more than 3 ADS's. Have also added file size as a new csv field. It is for the first $DATA attribute I think it is easier to also have it available this way instead of as separated on resident/non-resident fields only.

In the extracter there was an error in the function _GetAllRuns() that incorrectly solved runs in certain cases. That is now fixed. Note however, that the experimental functionality to rip files by their MFTnumber, is not fully working. I did not account for the fragmentation of MFT itself. But since I have the runs solved I think I can handle it too.. But until it's fixed I've put a hardcoded exit after record 1000, since fragmentation is rare so early in the file. The functionality would work when MFT is not fragmented though..
_________________
Joakim Schicht

github.com/jschicht 

joakims
Senior Member
 
 
  

Re: mft2csv - NTFS systemfile extracter and $MFT decoder

Post Posted: Sat Aug 13, 2011 7:50 am

While fixing a tiny bug in the timestamps, I started wondering what kind of timestamp is the best to use. Is it as UTC or local time?
_________________
Joakim Schicht

github.com/jschicht 

joakims
Senior Member
 
 
  

Re: mft2csv - NTFS systemfile extracter and $MFT decoder

Post Posted: Sat Aug 13, 2011 8:43 pm

Greetings,

Well, the timestamp is what it is. What you're asking is what timezone you should present the information using. And my answer is - I don't adjust the timestamp at all. The user should record the timezone settings of the system they pulled the $MFT from.

You could add a switch to allow the user to report all times using a specific timezone.

-David
_________________
CISSP, CCE, EnCE, Licensed Private Investigator (CA) 

kovar
Senior Member
 
 
  

Re: mft2csv - NTFS systemfile extracter and $MFT decoder

Post Posted: Wed Aug 17, 2011 6:57 am

@David
Sorry for late reply. I was trying to completely understand the timestamp and timezone handling, and I think it's clear now. As you suggested it only really matters what timezone configuration is on the system that analyzes the $MFT (and not the system it was taken from). For that reason I've implemented a choice when launching the app to choose if UTC/local time is wanted in the timestamps. Also added information in the csv header about what format (utc or local) the timestamps are shown in, as well as info about what timezone configuration is present (the file_time_delta/36000000000=hours). Btw, milliseconds are now as they should, after a bugfix.

Sample csv header
Code:
#Timestamps presented in Local time
#Current timezone configuration (bias) including adjustment for any daylight saving = -12 hours

Now also the $MFT runs are solved, so kind of any file on the volume with a valid record should be extractable from the fs (with certain limitations).
_________________
Joakim Schicht

github.com/jschicht 

joakims
Senior Member
 
 
  

Re: mft2csv - NTFS systemfile extracter and $MFT decoder

Post Posted: Wed Sep 07, 2011 10:44 pm

Hi,

I'm not an Autoit programmer, but I think you have a small logic error in your mft2csv program. The line:

If NOT StringMid($MFTEntry,1,8) = '46494C45' Then

does not do what you think it does. I think it should be:

If NOT (StringMid($MFTEntry,3,8) = '46494C45') Then

with the two values enclosed in brackets. Note also the offset should be 3 not 1.

Regards,

Ddan  

Ddan
Member
 
 
Reply to topicReply to topic

Share this forum topic to encourage more replies



Page 1 of 10
Go to page 1, 2, 3, 4, 5, 6, 7, 8, 9, 10  Next