±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 33166
New Yesterday: 0 Visitors: 72

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

RSS Feed Widget

±Latest Webinars

mft2csv - NTFS systemfile extracter and $MFT decoder

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page Previous  1, 2, 3, 4, 5, 6, 7, 8, 9, 10  Next 
  

Re: mft2csv - NTFS systemfile extracter and $MFT decoder

Post Posted: Sun Feb 12, 2012 10:50 pm

Just to stir the pot a little, I notice that the same four bytes occur in RCRD records as well!!!

Ddan  

Ddan
Member
 
 
  

Re: mft2csv - NTFS systemfile extracter and $MFT decoder

Post Posted: Tue May 15, 2012 4:39 am

Hi Joakim,

I wonder if you can help me. I've been playing around with your sourcecode for NTFS_Sysfiles_Extracter_v1.8 and I seem to be having some sort of problem. When I compile it, it gives a different exe size than the exe that you supply. Also my exe does not produce the same output for an extracted file as your exe does. The file in question is a compressed file and neither exe produces the correct output

I don't think it is simply different versions of Autoit, but in case it is, I am using Autoit v3.3.6.1 and version 3.7 (for version 3.3.6.1) of WinApiEx.

Is is possible that you actually compiled a different version of sourcecode for v1.8?

Ddan  

Ddan
Member
 
 
  

Re: mft2csv - NTFS systemfile extracter and $MFT decoder

Post Posted: Tue May 15, 2012 8:16 am

I will have a look at the versions. If I remember correct they are both the newest, but will double check. Either way, the compression part was never completely solved, despite your nice explanation. If I remember correct there, I was only able to decompress the first 4 Kb or something.

Edit:
In lack of time for followig this up this week, I think only the latest versions were compiled with version 3.3.8.0. Version 3.3.8.1 is now the latest. Additionally, the version of WinApiEx it was compiled with, was an earlier version than latest (updated on 25. March). And is probably the reasons for differing file sizes. Don't worry about that, as you can compiled them new yourself. Let me know if you found any errors with the code (likely some)..
_________________
Joakim Schicht

github.com/jschicht 

joakims
Senior Member
 
 
  

Re: mft2csv - NTFS systemfile extracter and $MFT decoder

Post Posted: Wed Jun 27, 2012 7:35 pm

There have been some major improvements on the tools; code.google.com/p/mft2...loads/list

NTFS File Extracter v3.0
Added full support for compressed and sparse files.
$ATTRIBUTE_LIST solved, meaning extremely fragmented files can nwo be extracted.
Also support extraction of all ADS's tied to a given file.
Code reorganized for easier reuse.

MFTRCRD v6
Added support for specifying record number as parameter.
$ATTRIBUTE_LIST
Option to dump individual attributes as nicely formatted hex.

mft2csv v1.7
Just some smaller fixes.

Many thanks to DDan for the effort put into the new NTFS File Extracter.

That code has a lot of potential now.
_________________
Joakim Schicht

github.com/jschicht 

joakims
Senior Member
 
 
  

Re: mft2csv - NTFS systemfile extracter and $MFT decoder

Post Posted: Tue Jul 24, 2012 12:27 pm

Hi Joakim,
just had an occasion to try the nice mft2csv thingy.

All went well Very Happy , really nice and handy.

I have a small feature suggestion, I tested the thingy on a [email protected]§§edly extracted bunch of sectors that included a few sectors before the actual $MFT (and a few after it).
The program failed with an error.
So, I stripped the first few unrelated sectors and eveything went well.

Maybe it would be an idea to parse the file for first occurrence of "FILE0" (or "FILE*") so that it "auto-detects" the $MFT first sector.
As well the "excess" sectors at the end were reported (correctly) as "UNKNOWN", again an idea could be that of stopping the parsing when no more "FILE0" (or "FILE*") are found (every other sector).


jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: mft2csv - NTFS systemfile extracter and $MFT decoder

Post Posted: Tue Jul 24, 2012 9:20 pm

Thanks for the input jaclaz.

For now the tool assumes that you have the $MFT correctly extracted. But that said, the tool (mft2csv) is up for a major rewrite soon, and lots of stuff will be changed in it. Among other things are physical disk reading (ie no need for an extracted $MFT). And much more..

Regarding your input about axcess sectors with invalid records, I think it is better not to stop parsing. The reason is there may be invalid records like with the magic "BAAD", where healthy records may continue 1024 bytes further down. Also there may exist other sorts of bad sectors/records that will break a compleet decode if parsing was to be stopped.

Anyway, lots of work have been done lately and there will be much more to come. I am very grateful for all suggestions on how these tools should or could be. Or otherwise any tip on new features and functionality, or maybe a bug report. I'm open for any ideas.

The fact that it is all open source hopefully will tempt others to fiddle with the code and contribute. If so just let me know..

Right now MFTRCRD is much better at analysing, at least for individual files, where INDX records are resolved, dumped and decoded too.
_________________
Joakim Schicht

github.com/jschicht 

joakims
Senior Member
 
 
  

Re: mft2csv - NTFS systemfile extracter and $MFT decoder

Post Posted: Wed Jul 25, 2012 1:50 am

- jaclaz
Hi Joakim,
just had an occasion to try the nice mft2csv thingy.

I tested the thingy on a [email protected]§§edly extracted bunch of sectors that included a few sectors before the actual $MFT (and a few after it).
The program failed with an error.
So, I stripped the first few unrelated sectors and eveything went well.

jaclaz


You didn't say what sort of error it gave. One of the first things that the code does is to read the Boot sector to get things like the cluster size and the location of the $MFT. I assume your first sector would not have been a valid NTFS boot record. Would this explain the error?

Ddan  

Ddan
Member
 
 

Page 7 of 10
Go to page Previous  1, 2, 3, 4, 5, 6, 7, 8, 9, 10  Next