±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 1 Overall: 34693
New Yesterday: 0 Visitors: 252

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

An $MFT parser

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page 1, 2  Next 
  

An $MFT parser

Post Posted: Mon Aug 01, 2011 10:01 pm

I challenged myself to write an $MFT parser to rip information and log it to a csv file. It is going fine as I can reassemble and extract the $MFT from physicaldisk. I've also come a long way on decoding the various attributes. Currently Im preatty much ripping everything from the Record header, Standard Information, File Name and Data attribute.

Question is what else would be of interest from the other remaining attributes?

In the current form, it will generate a massive amount of data. On a sample 95 MB $MFT it generated a 35 MB csv. It will export information from each and every record (including those marked as deleted). Thanks for any pointers.
_________________
Joakim Schicht

github.com/jschicht 

joakims
Senior Member
 
 
  

Re: An $MFT parser

Post Posted: Tue Aug 02, 2011 1:34 am

Can it handle multiple $DATA attributes?

What about exporting out resident $DATA data?

Just off the top of my head...  

twjolson
Senior Member
 
 
  

Re: An $MFT parser

Post Posted: Tue Aug 02, 2011 5:25 am

- twjolson
Can it handle multiple $DATA attributes?

What about exporting out resident $DATA data?


Good suggestion. I am afraid that in my current solution several attributes of the same type for the same file, is not ideal (the last attribute will overwrite the values for the first attribute of the same type for the same file). But it should be possible to solve..

When you say exporting resident $DATA data, would it make any sense to put this into the csv? If so, then maybe writing the hex values (instead of binary) would be the best. If you meant outside the csv, we must somehow account for duplicated files of same name.

Of course this would slow down the processing further, but maybe this option should be configurable.


Thanks for the input.
_________________
Joakim Schicht

github.com/jschicht 

joakims
Senior Member
 
 
  

Re: An $MFT parser

Post Posted: Tue Aug 02, 2011 5:48 am

Hi Joakim,

How about an option to extract file record slack? Should be pretty easy to incorporate.

Another idea is to expand the scope of the project somewhat and include Security Attributes - which would mean attempting to parse $secure as well. It is a lot more work, but hey - you asked for ideas Smile  

Chris_Ed
Senior Member
 
 
  

Re: An $MFT parser

Post Posted: Tue Aug 02, 2011 5:48 am

Right now, this is what is included;

Code:
FN_FileName
HEADER_Flags
SI_FilePermission
FN_Flags
SI_CTime
SI_ATime
SI_MTime
SI_RTime
FN_CTime
FN_ATime
FN_MTime
FN_RTime
FN_AllocSize
FN_RealSize
SI_USN
DATA_VCNs
DATA_NonResidentFlag
HEADER_MFTREcordNumber
HEADER_LSN
HEADER_SequenceNo
HEADER_RecordRealSize
HEADER_RecordAllocSize
HEADER_FileRef
HEADER_NextAttribID
DATA_AllocatedSize
DATA_RealSize
DATA_CompressedSize

_________________
Joakim Schicht

github.com/jschicht 

joakims
Senior Member
 
 
  

Re: An $MFT parser

Post Posted: Tue Aug 02, 2011 5:52 am

- Chris_Ed

How about an option to extract file record slack? Should be pretty easy to incorporate.

Another idea is to expand the scope of the project somewhat and include Security Attributes - which would mean attempting to parse $secure as well. It is a lot more work, but hey - you asked for ideas Smile

Thanks, will look into it.
_________________
Joakim Schicht

github.com/jschicht 

joakims
Senior Member
 
 
  

Re: An $MFT parser

Post Posted: Tue Aug 02, 2011 6:42 am

- joakims
Good suggestion. I am afraid that in my current solution several attributes of the same type for the same file, is not ideal (the last attribute will overwrite the values for the first attribute of the same type for the same file). But it should be possible to solve..


Multiple streams of the same type are very common so this is something you should address sooner.
_________________
Paul Sanderson
SQLite Forensics Book
www.amazon.com/SQLite-...entries*=0

Forensic Toolkit for SQLite
sandersonforensics.com...for-SQLite 

PaulSanderson
Senior Member
 
 

Page 1 of 2
Go to page 1, 2  Next