±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 1 Overall: 34693
New Yesterday: 0 Visitors: 251

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

mft2csv - NTFS systemfile extracter and $MFT decoder

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page Previous  1, 2, 3, 4, 5, 6, 7, 8, 9, 10  Next 
  

Re: mft2csv - NTFS systemfile extracter and $MFT decoder

Post Posted: Mon Jan 14, 2013 9:59 am

- keydet89
- jaclaz

The tool (correctly) asks for a $MFT, I was perfectly aware that feeding it "something else" I would have probably got an error (though I prefer "aggressive" interfaces...


As someone who as written tools, and provided them all for free, I find this extremely frustrating.

WHAT exactly are you finding frustrating? Question

I - as said - intentionally fed the tool with "unexpected"data to see how it would behave, and reported it's behaviour.
This is what I call betatesting/feedback/suggestions/ideas that an Author should be made aware of (and of course is perfectly free to ignore).

If I get it right you are whining Shocked about getting no feedback for some of your tools and you pinpoint some actual feedback given for another tool as a "frustrating" thing?

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: mft2csv - NTFS systemfile extracter and $MFT decoder

Post Posted: Fri Jan 18, 2013 10:33 pm


The tool (correctly) asks for a $MFT, I was perfectly aware that feeding it "something else" I would have probably got an error (though I prefer "aggressive" interfaces, like "You [email protected]§§, I want a §@ç#ing $MFT, the file you gave me is not a $MFT!" a "Cannot decode file" would have been preferrable to the "Variable not declared" error).


The reason is because we can have invalid records, and I wanted it to continue regardless of those. But, still it's kind of flawed, as it assumes there is exactly 1024 bytes between each record. Alternatively you could have evaluated byte for byte forward whenever an invalid record hits you (which would fix that).

New version has option to specify separator and optional surrounding quotes, plus bugfixes.

Also added this code to satisfy most people:

Code:
If @Username = "jaclaz" And $input <> $ValidMFT Then
	MsgBox(0,"Hey!", You dumb ass fool! what on earth are you trying? Read documentation next time. Bye.
	Exit
EndIf

(that was a joke)
_________________
Joakim Schicht

github.com/jschicht 

joakims
Senior Member
 
 
  

Re: mft2csv - NTFS systemfile extracter and $MFT decoder

Post Posted: Sat Jan 19, 2013 11:14 am

- joakims


Also added this code to satisfy most people:

Code:
If @Username = "jaclaz" And $input <> $ValidMFT Then
	MsgBox(0,"Hey!", You dumb ass fool! what on earth are you trying? Read documentation next time. Bye.
	Exit
EndIf


Nice Very Happy .

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: mft2csv - NTFS systemfile extracter and $MFT decoder

Post Posted: Thu Feb 21, 2013 11:01 pm

Added support for extraction and handling of $MFT records in memory dumps, as well as partial $MFT's.
_________________
Joakim Schicht

github.com/jschicht 

joakims
Senior Member
 
 
  

Re: mft2csv - NTFS systemfile extracter and $MFT decoder

Post Posted: Wed Dec 18, 2013 1:57 pm

I have been trying to get in touch for the longest time. I desperately need the offsets for the MFT data fields. I know you have them but have them in your computer language which I do not know/have. BTW do you have the for VB? My email addy is rmctwo at gmail dot com. Thank you so much.

Renee Culver  

Reneec
Newbie
 
 
  

Re: mft2csv - NTFS systemfile extracter and $MFT decoder

Post Posted: Wed Dec 18, 2013 2:08 pm

I am sorry you did not reach me, but you must have hit the wrong channel then. I normally answer serious requests, when I get them. Will send you an e-mail.
_________________
Joakim Schicht

github.com/jschicht 

joakims
Senior Member
 
 
  

Re: mft2csv - NTFS systemfile extracter and $MFT decoder

Post Posted: Sun Feb 23, 2014 7:52 pm

Projects moved to github; github.com/jschicht
_________________
Joakim Schicht

github.com/jschicht 

joakims
Senior Member
 
 

Page 9 of 10
Go to page Previous  1, 2, 3, 4, 5, 6, 7, 8, 9, 10  Next