±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 33166
New Yesterday: 0 Visitors: 78

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

RSS Feed Widget

±Latest Webinars

mft2csv - NTFS systemfile extracter and $MFT decoder

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page Previous  1, 2, 3, 4, 5, 6, 7, 8, 9, 10  Next 
  

Re: mft2csv - NTFS systemfile extracter and $MFT decoder

Post Posted: Wed Jul 25, 2012 12:47 pm

- Ddan
Would this explain the error?

Sure, as said I just extracted an "area" of a disk image (containing the $MFT) and fed it to mft2csv.
The error is/was:
AutoIt Error
Line 4839 (File "<path of file>MFT2CSV.exe"):
Error: Variable used without being declared.


The use for which I tried to use the tool was "data recovery" (and NOT "Digital Forensics") oriented, I simply have NOT a valid bootsector.

Evidently the tool if first sector is the first sector of the $MFT "recognizes" it and it works allright.

I also tested it with a (valid) whole disk image (and it failed with the same error).
And I also tested on a (valid) volume image, extracted from the above (and it failed with the same error),
Then I extracted the actual $MFT from the above image and it worked flawlessly.
So I really cannot understand you Question .
Which tool are you talking about?
I tested MFT2CSV.exe, size 399545 dated 30-06-2012.

The tool (correctly) asks for a $MFT, I was perfectly aware that feeding it "something else" I would have probably got an error (though I prefer "aggressive" interfaces, like "You [email protected]§§, I want a §@ç#ing $MFT, the file you gave me is not a $MFT!" Wink a "Cannot decode file" would have been preferrable to the "Variable not declared" error).

The suggestion, that Joakim seems to have got perfectly was that it should be possible to "skip" everything until the first occurence of "FILE0" or "FILE*" (this is a "safety" measure for people that - like I did - feeded the tool with "something else", but actually it is a "no whining" one as many people when using a tool outside of it's intended scope and getting an error will start whining about the tool not working as it should).

The other suggestion, that it seems to me Joakim did not fully get was slightly different.
I have no problems whatsoever (normally) in finding and extracting a $MFT (even if it has errors/sectors overwritten).
Right now the tool behaves very correctly, once all "real" $MFT entries have finished (because I intentionsally fed it with a "larger" file), it continues scanning sectors, marking them as either "UNKNOWN" or "ZERO" entries.
The issue I see is that some form of limit should be given to this scanning, as IF an user feed them a really large file, the MFT2CSV will "scan forever" and produce a BIG .csv file (and there is currently no way, exception made for "killing" the process to stop the scan).

@joakim
I do understand the issue about (partially) overwritten $MFT.
Maybe a possibility would be to set a default of (say) "Scan max 100 sectors after last valid $MFT entry" and an editbox (or a .ini file) somewhere to chaneg this default value to (again say) 100, 10000, 100000.

Another few (very small) suggestions are about possible issues with imprting the data in a spreadsheet.
The first thing is that the actual separator for .csv files (unless what the name implies) is usually dependant on "local" (please read as "international" settings.
As an example on a normal Italian system the "list delimiter" is usually the semicolon ";".
Same goes for date separator, instead of the dash "-" and Italian system would have a "/".
A setting (again as a checkbox in the GUI or as a .ini entry) would be nice.
There is a further small issue.
AFAIK there is no way to have a $MFT Date entry such as (example):
2010-04-26 03:26:59:364:0406

Recognized by a spreadsheet as "number".
The most you can do is use a format like (again example):
Code:
yyyy\-mm\-dd\ hh\:mm\:ss;@
That will accept something like:
2010-04-26 03:26:59

as a "serial" and thus allow numerical operations (such as time differences) such as "=Q32-Q31" easily.
Of course it is trivial to insert a column with formulas *like*:
=VALUE(LEFT(Q20;11))+VALUE(RIGHT(LEFT(Q20;19);8))
but I wonder if it would be a useful addition to have a setting for it, like either "ignore precision after seconds" or "make separate colum for thousandths, etc."
(these latters "ideas" are only a possible way to add some "convenience" to the use, they do not represent in any way "real" issues as anyone that know how to deal with spreadsheets and .csv files will manage them allright, whilst the "stop scanning if ..." is IMHO a *needed* feature)


jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: mft2csv - NTFS systemfile extracter and $MFT decoder

Post Posted: Wed Jul 25, 2012 7:22 pm

@jaclaz
Your suggestions are taken note of. As already mentioned the tool mft2csv is up for a rewrite, and it's scope for use may expand as functionality is added. The functionality is not at all settled, so suggestions are still (and always will be) welcome. Your suggestions make sense.

Ability to more easily stop/abort the operation is wanted functionality I agree on.

Auto stop of program if file most likely is not an $MFT, also makes sense. But the exact conditions under which to conclude with invalid $MFT, may or may not be easy. Checking for the presence of "FILE" in the first four bytes is the simplest..

Choice of timestamp format is something I have already thought of, and will be added. Examples of other wanted formats may help.

Ability to open disk like image files is also noted. Also running against mounted volumes is a feature on my list.

Decode of the $SECURITY_DESCRIPTOR is also noted.
_________________
Joakim Schicht

github.com/jschicht 

joakims
Senior Member
 
 
  

Re: mft2csv - NTFS systemfile extracter and $MFT decoder

Post Posted: Wed Jul 25, 2012 9:34 pm

I frequently convert date/time strings into Excel values, which seems to have a limit of milliseconds.

I converted this: "2010-04-26 03:26:59:364:0406" to this: "2010-04-26 03:26:59.3640406" (changed last 2 colons) and pasted it into Excel 2007.

When the format is tweaked, the date can be displayed as follows: 2010-04-26 03:26.364, but with no more precision than milliseconds. From my limited testing, I believe XL rounds at milliseconds and discards additional precision. So "2010-04-26 03:26:59.3645" is equivalent to 2010-04-26 03:26:59.365.

Software functionality is a moving target, so I can't really say if the same behavior exists in 2010, 2013, or Google Docs Spreadsheet, but there it is for XL 2007 at least.

FYI.
_________________
Scott Tucker
Aptegra Consulting, LLC
www.aptegra.com 

TuckerHST
Senior Member
 
 
  

Re: mft2csv - NTFS systemfile extracter and $MFT decoder

Post Posted: Thu Jul 26, 2012 1:04 am

- jaclaz
- Ddan
Would this explain the error?

So I really cannot understand you Question .
Which tool are you talking about?
jaclaz


Sorry, my fault, looked at the wrong module. Doh!!!!!

Ddan  

Ddan
Member
 
 
  

Re: mft2csv - NTFS systemfile extracter and $MFT decoder

Post Posted: Fri Jan 04, 2013 10:31 pm

Did a major update of mft2csv which should make it more attaractive.

New features:
-Support for raw/dd disk images (both MBR and GPT style). No need to extract $MFT.
-Support for raw/dd partition images.
-Support for running it directly on a live system without the need to extract $MFT first.
-Option to adjust timestamps for any UTC region (for instance if timezone configuration of the system where the image is taken is known).
-Resolved file paths.
-Much more userfriendly.

mft2csv.googlecode.com....0.0.0.zip

(thanks DDan)
_________________
Joakim Schicht

github.com/jschicht 


Last edited by joakims on Fri Jan 04, 2013 11:09 pm; edited 1 time in total

joakims
Senior Member
 
 
  

Re: mft2csv - NTFS systemfile extracter and $MFT decoder

Post Posted: Fri Jan 04, 2013 10:51 pm

- jaclaz

The tool (correctly) asks for a $MFT, I was perfectly aware that feeding it "something else" I would have probably got an error (though I prefer "aggressive" interfaces...


As someone who as written tools, and provided them all for free, I find this extremely frustrating.

This past fall, I released a tool I call "Forensic Scanner". Before my employer had me move it from the Google Code site to a GitHub site, there were 956 downloads. Of these, I received less than a dozen comments. About half were, "thanks, great tool", and the other half were, "...doesn't work." Of the latter half, some digging and exchange of emails revealed that those who had made that statement had run the tool improperly, *AFTER* reading the user manual.

I cannot express how incredibly frustrating it can be to (a) dig into a subject, (b) find everything or what little there is on a topic, (c) write code to parse data structures, (d) clean up the code, (e) make it easy for others to use, (f) add a GUI to the tool, and (g) release it for free, only to have someone run the tool incorrectly.

Not long after I released RegRipper, I had people run it against PST files. I know of folks who ran it against "Registry files" that were all zeros...and for the life of them, they couldn't figure out why it didn't work...and apparently, had no idea what "hex editor" is. Some have run RegRipper against raw/dd image files.

Sorry. I just find it kind of frustrating when someone essentially says that a tool that they download for free needs to be responsible for identifying incorrect use.  

keydet89
Senior Member
 
 
  

Re: mft2csv - NTFS systemfile extracter and $MFT decoder

Post Posted: Sun Jan 06, 2013 11:38 pm

So I added an option to choose the output format. Currently there is:

- All (default)
- log2timeline
- bodyfile

However, as I'm not familiar with log2timeline and bodyfile, I'm not sure the output is as it's supposed to be.

To me it seems the bodyfile format has very little information per row, making it less feasible for $MFT. For instance, how do you distinguish SI and FN timestamps? What about filename vs filename+path. And ADS's? In the current version I stick to SI as default, and disregard any FN.

At least for the log2timeline format there is room for more information (however unclear exactly what goes where). Unless you just accept SI timestamps and disregard any FN timestamps, you will get number of rows per file equal to 4 + (4 * number of FileName attributes). In the current version I dump SI, FN1 and FN2.

Would be nice if someone would comment on the output format.
_________________
Joakim Schicht

github.com/jschicht 

joakims
Senior Member
 
 

Page 8 of 10
Go to page Previous  1, 2, 3, 4, 5, 6, 7, 8, 9, 10  Next