could you give me an example of the code you use then?
Sure.
Go here http//
Download the tln_tools zipped archive, and take a look at bodyfile.pl. I use this script to take the output of fls.exe (from the TSK tools) and modify it into a format that I find more useful.
HTH
If you are still hungry for a directory listing tool , I would recommend that you try DirList which is on Michal Mutl's site. It is the very least entry on his downloads page. When you start DirList it may appear that the application has hung, but it is actually enumerating the drives.
http//
Some time ago I wrote a filesystem timestamp2csv (for Windows only). If you are interested I can brush dust off it and provide a link. The filename is in full path and all 4 timestamps are given in decimal as well as converted to a readable format. File size is currently not included but can be added without much effort. Actually I thought about adding MD5/SHA1 too. What else could be added and/or changed? The current csv header looks like this;
#
# Dump of filesystem timestamps
#
# 21.07.2011 110245
#
# Search path C\
# Search filter *.*
# Number of files processed 1256
# Drive mountpoint C\
# Filesystem NTFS
# Volume label
# Drive serial 0000000000
# Drive type Fixed
# Drive total capacity 159718486016 bytes
# Drive total capacity 152319.42 MB
# Drive free space 140389539840 bytes
# Drive free space 133885.9 MB
# Drive used space 19328946176 bytes
# Drive used space 18433.52 MB
#
FileName,"Modified (M) Dec","Modified (M)","Accessed (A) Dec","Accessed (A)","Created (C) Dec","Created (C)","MFTchange (E) Dec","MFTchange (E)","Attributes","Error"
Thanks for the responses guys I think the dirlist program file output is in a nice format for reports. My reports go to upper-management types and I need to keep from glazing their eyes over while presenting accurate information. I have also downloaded the tln_tools and will give that a look when I have more time to play around with new tools. Right now I'm kind of under the gun to wrap up my current investigation.
Thanks again guys. I don't post much but this forum has helped me tremendously throughout the years.
Some time ago I wrote a filesystem timestamp2csv (for Windows only). If you are interested I can brush dust off it and provide a link. The filename is in full path and all 4 timestamps are given in decimal as well as converted to a readable format. File size is currently not included but can be added without much effort. Actually I thought about adding MD5/SHA1 too. What else could be added and/or changed? The current csv header looks like this;
That would be nice. )
Maybe adding short filename ?
Any issue with (intentionally) malformed directory names? (or with dir /x)
Like
http//
http//
jaclaz
Short file names can easily be added too. Not sure how it will behave on malformed directories, as it is based on winapi and implemented in autoit (but will check). And because of that, it will be slower than if implemented in a non-interpreted language. The way it currently works is to first generate an array with a filelisting and then loop process it. When looping through it, extra stuff can be added but at the cost of its speed (which is already a problem if you are to dump a large partition). I tested on a large 150 GB system partition including all programs and docs etc, and it took about 1 hour to finish the csv..
Because of this, it is very likely that I will write my own specialized MFT parser (mft2csv) in the near future.
Because of this, it is very likely that I will write my own specialized MFT parser (mft2csv) in the near future.
But that would be NTFS only….
This one (not actually a disk parser, but very much related) is Open Source
http//locate32.net/
(maybe you can re-use part of the code).
One of the most handy (and fast) utilities I ever found is this thingy here
http//
but it is not Open Source, maybe you can contact the Author and revive the project (and add the MFT2csv feature).
jaclaz
But that would be NTFS only….
That's because I have a special interest in NTFS.. Thanks for the links..
I don't know if my CnW Recovery produces what you require. The free demo mode will do a dummy read of a NTFS disk (or FAT etc) and produce a log that can be exported as a .csv file. This includes details on all files with
Full name
File name (not the path)
Size
Attributes
All dates - create, modify, access,
Start sector
Fragment runs (upto 80 fragments)
Signature and extension
Is this what you require? The sizes etc can be in hex or decimal
If you drop me a PM, I wll happy send you a short sample