@jaclaz
Your suggestions are taken note of. As already mentioned the tool mft2csv is up for a rewrite, and it's scope for use may expand as functionality is added. The functionality is not at all settled, so suggestions are still (and always will be) welcome. Your suggestions make sense.
Ability to more easily stop/abort the operation is wanted functionality I agree on.
Auto stop of program if file most likely is not an $MFT, also makes sense. But the exact conditions under which to conclude with invalid $MFT, may or may not be easy. Checking for the presence of "FILE" in the first four bytes is the simplest..
Choice of timestamp format is something I have already thought of, and will be added. Examples of other wanted formats may help.
Ability to open disk like image files is also noted. Also running against mounted volumes is a feature on my list.
Decode of the $SECURITY_DESCRIPTOR is also noted.
I frequently convert date/time strings into Excel values, which seems to have a limit of milliseconds.
I converted this "2010-04-26 0326593640406" to this "2010-04-26 032659.3640406" (changed last 2 colons) and pasted it into Excel 2007.
When the format is tweaked, the date can be displayed as follows 2010-04-26 0326.364, but with no more precision than milliseconds. From my limited testing, I believe XL rounds at milliseconds and discards additional precision. So "2010-04-26 032659.3645" is equivalent to 2010-04-26 032659.365.
Software functionality is a moving target, so I can't really say if the same behavior exists in 2010, 2013, or Google Docs Spreadsheet, but there it is for XL 2007 at least.
FYI.
Would this explain the error?
So I really cannot understand you ? .
Which tool are you talking about?
jaclaz
Sorry, my fault, looked at the wrong module. Doh!!!!!
Ddan
Did a major update of mft2csv which should make it more attaractive.
New features
-Support for raw/dd disk images (both MBR and GPT style). No need to extract $MFT.
-Support for raw/dd partition images.
-Support for running it directly on a live system without the need to extract $MFT first.
-Option to adjust timestamps for any UTC region (for instance if timezone configuration of the system where the image is taken is known).
-Resolved file paths.
-Much more userfriendly.
http//
(thanks DDan)
The tool (correctly) asks for a $MFT, I was perfectly aware that feeding it "something else" I would have probably got an error (though I prefer "aggressive" interfaces…
As someone who as written tools, and provided them all for free, I find this extremely frustrating.
This past fall, I released a tool I call "Forensic Scanner". Before my employer had me move it from the Google Code site to a GitHub site, there were 956 downloads. Of these, I received less than a dozen comments. About half were, "thanks, great tool", and the other half were, "…doesn't work." Of the latter half, some digging and exchange of emails revealed that those who had made that statement had run the tool improperly, *AFTER* reading the user manual.
I cannot express how incredibly frustrating it can be to (a) dig into a subject, (b) find everything or what little there is on a topic, © write code to parse data structures, (d) clean up the code, (e) make it easy for others to use, (f) add a GUI to the tool, and (g) release it for free, only to have someone run the tool incorrectly.
Not long after I released RegRipper, I had people run it against PST files. I know of folks who ran it against "Registry files" that were all zeros…and for the life of them, they couldn't figure out why it didn't work…and apparently, had no idea what "hex editor" is. Some have run RegRipper against raw/dd image files.
Sorry. I just find it kind of frustrating when someone essentially says that a tool that they download for free needs to be responsible for identifying incorrect use.
So I added an option to choose the output format. Currently there is
- All (default)
- log2timeline
- bodyfile
However, as I'm not familiar with log2timeline and bodyfile, I'm not sure the output is as it's supposed to be.
To me it seems the bodyfile format has very little information per row, making it less feasible for $MFT. For instance, how do you distinguish SI and FN timestamps? What about filename vs filename+path. And ADS's? In the current version I stick to SI as default, and disregard any FN.
At least for the log2timeline format there is room for more information (however unclear exactly what goes where). Unless you just accept SI timestamps and disregard any FN timestamps, you will get number of rows per file equal to 4 + (4 * number of FileName attributes). In the current version I dump SI, FN1 and FN2.
Would be nice if someone would comment on the output format.
The tool (correctly) asks for a $MFT, I was perfectly aware that feeding it "something else" I would have probably got an error (though I prefer "aggressive" interfaces…
As someone who as written tools, and provided them all for free, I find this extremely frustrating.
WHAT exactly are you finding frustrating? ?
I - as said - intentionally fed the tool with "unexpected"data to see how it would behave, and reported it's behaviour.
This is what I call betatesting/feedback/suggestions/ideas that an Author should be made aware of (and of course is perfectly free to ignore).
If I get it right you are whining 😯 about getting no feedback for some of your tools and you pinpoint some actual feedback given for another tool as a "frustrating" thing?
jaclaz
The tool (correctly) asks for a $MFT, I was perfectly aware that feeding it "something else" I would have probably got an error (though I prefer "aggressive" interfaces, like "You dumb@§§, I want a §@ç#ing $MFT, the file you gave me is not a $MFT!" a "Cannot decode file" would have been preferrable to the "Variable not declared" error).
The reason is because we can have invalid records, and I wanted it to continue regardless of those. But, still it's kind of flawed, as it assumes there is exactly 1024 bytes between each record. Alternatively you could have evaluated byte for byte forward whenever an invalid record hits you (which would fix that).
New version has option to specify separator and optional surrounding quotes, plus bugfixes.
Also added this code to satisfy most people
If @Username = "jaclaz" And $input <> $ValidMFT Then
MsgBox(0,"Hey!", You dumb a*s fool! what on earth are you trying? Read documentation next time. Bye.
Exit
EndIf
Also added this code to satisfy most people
If @Username = "jaclaz" And $input <> $ValidMFT Then
MsgBox(0,"Hey!", You dumb a*s fool! what on earth are you trying? Read documentation next time. Bye.
Exit
EndIf
Nice D .
jaclaz
Added support for extraction and handling of $MFT records in memory dumps, as well as partial $MFT's.