Notifications
Clear all

An $MFT parser

9 Posts
4 Users
0 Likes
1,834 Views
joakims
(@joakims)
Posts: 224
Estimable Member
Topic starter
 

I challenged myself to write an $MFT parser to rip information and log it to a csv file. It is going fine as I can reassemble and extract the $MFT from physicaldisk. I've also come a long way on decoding the various attributes. Currently Im preatty much ripping everything from the Record header, Standard Information, File Name and Data attribute.

Question is what else would be of interest from the other remaining attributes?

In the current form, it will generate a massive amount of data. On a sample 95 MB $MFT it generated a 35 MB csv. It will export information from each and every record (including those marked as deleted). Thanks for any pointers.

 
Posted : 02/08/2011 4:01 am
(@twjolson)
Posts: 417
Honorable Member
 

Can it handle multiple $DATA attributes?

What about exporting out resident $DATA data?

Just off the top of my head…

 
Posted : 02/08/2011 7:34 am
joakims
(@joakims)
Posts: 224
Estimable Member
Topic starter
 

Can it handle multiple $DATA attributes?

What about exporting out resident $DATA data?

Good suggestion. I am afraid that in my current solution several attributes of the same type for the same file, is not ideal (the last attribute will overwrite the values for the first attribute of the same type for the same file). But it should be possible to solve..

When you say exporting resident $DATA data, would it make any sense to put this into the csv? If so, then maybe writing the hex values (instead of binary) would be the best. If you meant outside the csv, we must somehow account for duplicated files of same name.

Of course this would slow down the processing further, but maybe this option should be configurable.

Thanks for the input.

 
Posted : 02/08/2011 11:25 am
Chris_Ed
(@chris_ed)
Posts: 314
Reputable Member
 

Hi Joakim,

How about an option to extract file record slack? Should be pretty easy to incorporate.

Another idea is to expand the scope of the project somewhat and include Security Attributes - which would mean attempting to parse $secure as well. It is a lot more work, but hey - you asked for ideas )

 
Posted : 02/08/2011 11:48 am
joakims
(@joakims)
Posts: 224
Estimable Member
Topic starter
 

Right now, this is what is included;


FN_FileName
HEADER_Flags
SI_FilePermission
FN_Flags
SI_CTime
SI_ATime
SI_MTime
SI_RTime
FN_CTime
FN_ATime
FN_MTime
FN_RTime
FN_AllocSize
FN_RealSize
SI_USN
DATA_VCNs
DATA_NonResidentFlag
HEADER_MFTREcordNumber
HEADER_LSN
HEADER_SequenceNo
HEADER_RecordRealSize
HEADER_RecordAllocSize
HEADER_FileRef
HEADER_NextAttribID
DATA_AllocatedSize
DATA_RealSize
DATA_CompressedSize

 
Posted : 02/08/2011 11:48 am
joakims
(@joakims)
Posts: 224
Estimable Member
Topic starter
 

How about an option to extract file record slack? Should be pretty easy to incorporate.

Another idea is to expand the scope of the project somewhat and include Security Attributes - which would mean attempting to parse $secure as well. It is a lot more work, but hey - you asked for ideas )

Thanks, will look into it.

 
Posted : 02/08/2011 11:52 am
PaulSanderson
(@paulsanderson)
Posts: 651
Honorable Member
 

Good suggestion. I am afraid that in my current solution several attributes of the same type for the same file, is not ideal (the last attribute will overwrite the values for the first attribute of the same type for the same file). But it should be possible to solve..

Multiple streams of the same type are very common so this is something you should address sooner.

 
Posted : 02/08/2011 12:42 pm
joakims
(@joakims)
Posts: 224
Estimable Member
Topic starter
 

I've implemented 4 FN attributes and will look at multiples for $DATA too. Is it necessary/relevant with multiples for more than these 2 attributes?

Regarding record slack, is safe to say that if slack contains anything except 00's then it is of of interest (minus the page terminator/marker)?

In the current version it writes to csv roughly 200 records per second, on a not so powerful machine. That is with 50 variables, including the multiples. Meaning it is not very fast..

 
Posted : 03/08/2011 11:29 am
joakims
(@joakims)
Posts: 224
Estimable Member
Topic starter
 

So I finally finished first version of my mft2csv application. I registered it at the project hosting at Google code; http//code.google.com/p/mft2csv/

It is 2 applications
- One that will carve files directly from physical disk by reading sectors as specified in $MFT. Several modes are available.
- The main application is the mft2csv tool that will decode and log large amounts of data from $MFT and to csv format. The current base of 126 variables are a very good starting point for further improvement (and maybe some are unneeded).

Check out the site, there is source, compiled exe and descriptions. The source is free and preatty much without restrictions.

I really recommend doing something like this if you want to dig into NTFS and learn more about it the interesting and exciting way. It is very likely that I will expand it with more features soon. Since it is written in the scripting language AutoIt it is Windows only. However, on the good side, it is very easy and lots of fun to work with.

Regarding some of the points discussd earlier in this thread, it may be that such functionality is best put into a separate application (resident data and record slack)..

 
Posted : 11/08/2011 4:11 am
Share: