Jump to content











Submitter

SUPPORT TOPIC File Information

  • Submitted: Jun 27 2012 09:24 PM
  • Last Updated: Oct 06 2014 07:28 PM
  • File Size: 3.6MB
  • Views: 13809
  • Downloads: 10099
  • Approved by: Nuno Brito
  • Approved on: 27 June 2012 - 09:33 PM

Previous Versions

  • 18 Jan 2013 Download NTFS Tools collection v1

Download NTFS Tools collection v5

- - - - -



Screenshots
Here is my NTFS tools collection that I've worked on from time to time. It has been hosted at; https://github.com/jschicht and http://code.google.com/p/mft2csv/ since about a year ago. But I would like to share it here as well, since I'm quit satisfied with them now, after the last updates. They are open source, written in AutoIt, and easy to modify or customize. Let me give a short description of each of them:

NTFS File Extracter
Is as the name would imply, a utility to extract files from NTFS volumes. It decodes $MFT and resolves where the data is located on disk, before ripping it out. It is reading directly from physical disk, and will thus bypass filesystem restrictions etc. There are 4 different modes for extraction:
  • Extract $MFT only.
  • Extract all NTFS system files.
  • Select a file from the volume by browsing to it.
  • Type in the record number (IndexNumber) to extract.
It supports extraction of almost any file, as long as it's got a $DATA attribute. That is regular files, fragmented files, compressed or sparse files, resident files, ADS's etc.

MFT2CSV
Again as the name may imply, it decodes $MFT and dumps the information to a csv. The amount of data is quite substantial, so check it out. You will need an $MFT as input for this tool. Use the above NTFS File Extracter to get it. Then import the finished csv into Excel or similar spreadsheet software, and you will get an amazing report to investigate what is in your Master File Table.

MFTRCRD
This is a tool that falls in between the above 2. It will read your $MFT from physical disk and decode records for individual files. This is actually very nice, because you can quickly get a record decode for specific files, without the need to extract and decode the complete $MFT which may take some time depending on the size of it. Actually MFTRCRD goes even further than mft2csv and can produce far more information about individual files. That means mft2csv is up for an update soon. It is command line and display the output to console. It supports filename+path and $MFT record number (IndexNumber). One switch (param3) is for optimizing decode speed when $ATTRIBUTE_LIST is present for a given file. For most usage, set param3 as attriblist=off. That will produce faster output. Only set param3 as attriblist=on when there is an $ATTRIBUTE_LIST attribute present. Another switch (param4) is for choosing wether to hexdump resolved INDX records from the $INDEX_ALLOCATION attribute.

Attributes currently handled:
  • $STANDARD_INFORMATION
  • $ATTRIBUTE_LIST
  • $FILE_NAME
  • $OBJECT_ID
  • $SECURITY_DESCRIPTOR (just raw hex dump)
  • $VOLUME_NAME
  • $VOLUME_INFORMATION
  • $DATA
  • $INDEX_ROOT
  • $INDEX_ALLOCATION
  • $BITMAP (just raw hex dump)
  • $REPARSE_POINT
  • $EA_INFORMATION
  • $EA
  • $LOGGED_UTILITY_STREAM
Detailed runs information for $DATA can be retrived with version v1006 (see sample output further down).


Usage: "MFTRCRD param1 param2 param3 param4"

param1 can be a valid file path or an IndexNumber? ($MFT record number)
param2 can be -d or -a:
  • -d means just decode $MFT entry
  • -a same as -d but also dumps the whole $MFT entry to console
param3 is for optimizing speed of processing and can be either attriblist_on or attriblist_off. attriblist_on is for faster processing when $ATTRIBUTE_LIST is present

param4 for specifying wether to hexdump complete INDX records and can be either indxdump=on or indxdump=off. Beware that indxdump=on may generate a significant amount of dump to console for certain directories.

Example for dumping an $MFT decode for boot.ini:

MFTRCRD C:\boot.ini -d attriblist=off indxdump=off

Example for dumping an $MFT decode + a 1024 byte $MFT record dump for $MFT itself from the C: drive:
























MFTRCRD C:0 -a attriblist=off indxdump=off

Example for dumping an $MFT decode for $LogFile? from the D: drive:



















































MFTRCRD D:2 -d attriblist=off indxdump=off

Example for dumping a speed optimized $MFT decode for an extremely fragmented file with $ATTRIBUTE_LIST present:




























































MFTRCRD C:\ExtremelyFragmented.bin -d attriblist=on indxdump=off

Example for dumping an $MFT record decode + hexdump of its resolved INDX records for the root directory on C:, equivalent to the 'folder' named C:\





























































MFTRCRD C:5 -d attriblist=off indxdump=on

Running the tool without any parameter will display help information.

Here's a sample console dump of a file:
























































































Starting MFTRCRD by Joakim Schicht

Version 1.0.0.6

Target is a File

Filesystem on C:\ is NTFS

NtQueryInformationFile: Success

File IndexNumber: 320361

NtQueryInformationFile: Success

BytesPerSector: 512

SectorsPerCluster: 8

TotalSectors: 248444927

HiddenSectors: 1622016

SectorsPerTrack: 63

NumberOfHeads: 255

Searching through $MFT...

Dump of $MFT record

0000	46 49 4c 45 30 00 03 00  9e cc 7a f7 02 00 00 00   FILE0.....z.....

0010	23 00 01 00 38 00 01 00  e8 03 00 00 00 04 00 00   #...8...........

0020	00 00 00 00 00 00 00 00  0b 00 00 00 69 e3 04 00   ............i...

0030	09 00 00 00 47 11 00 00  10 00 00 00 60 00 00 00   ....G.......`...

0040	00 00 00 00 00 00 00 00  48 00 00 00 18 00 00 00   ........H.......

0050	b9 95 7d d2 4d 52 cd 01  16 4b e2 16 51 52 cd 01   ..}.MR...K..QR..

0060	16 4b e2 16 51 52 cd 01  b9 95 7d d2 4d 52 cd 01   .K..QR....}.MR..

0070	20 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00	...............

0080	00 00 00 00 b8 03 00 00  00 00 00 00 00 00 00 00   ................

0090	d0 c4 de b3 00 00 00 00  20 00 00 00 90 01 00 00   ........ .......

00a0	00 00 00 00 00 00 08 00  78 01 00 00 18 00 00 00   ........x.......

00b0	10 00 00 00 20 00 00 1a  00 00 00 00 00 00 00 00   .... ...........

00c0	69 e3 04 00 00 00 23 00  00 00 00 00 02 80 14 00   i.....#.........

00d0	30 00 00 00 20 00 00 1a  00 00 00 00 00 00 00 00   0... ...........

00e0	69 e3 04 00 00 00 23 00  04 00 08 80 fd 01 02 00   i.....#.........

00f0	40 00 00 00 20 00 00 1a  00 00 00 00 00 00 00 00   @... ...........

0100	69 e3 04 00 00 00 23 00  05 00 17 0d a0 f8 ff ff   i.....#.........

0110	80 00 00 00 20 00 00 1a  00 00 00 00 00 00 00 00   .... ...........

0120	69 e3 04 00 00 00 23 00  01 00 96 10 a0 f8 ff ff   i.....#.........

0130	80 00 00 00 30 00 0b 1a  00 00 00 00 00 00 00 00   ....0...........

0140	64 d7 04 00 00 00 28 00  00 00 41 00 44 00 53 00   d.....(...A.D.S.

0150	54 00 65 00 73 00 74 00  2e 00 65 00 78 00 65 00   T.e.s.t...e.x.e.

0160	80 00 00 00 30 00 0b 1a  f0 0d 00 00 00 00 00 00   ....0...........

0170	6c e4 04 00 00 00 0b 00  00 00 41 00 44 00 53 00   l.........A.D.S.

0180	54 00 65 00 73 00 74 00  2e 00 65 00 78 00 65 00   T.e.s.t...e.x.e.

0190	80 00 00 00 30 00 0b 1a  24 2c 00 00 00 00 00 00   ....0...$,......

01a0	6d e4 04 00 00 00 06 00  00 00 41 00 44 00 53 00   m.........A.D.S.

01b0	54 00 65 00 73 00 74 00  2e 00 65 00 78 00 65 00   T.e.s.t...e.x.e.

01c0	80 00 00 00 30 00 0b 1a  e1 5f 00 00 00 00 00 00   ....0...._......

01d0	6e e4 04 00 00 00 06 00  00 00 41 00 44 00 53 00   n.........A.D.S.

01e0	54 00 65 00 73 00 74 00  2e 00 65 00 78 00 65 00   T.e.s.t...e.x.e.

01f0	80 00 00 00 38 00 0c 1a  00 00 00 00 00 00 09 00   ....8...........

0200	69 e3 04 00 00 00 23 00  0a 00 41 00 44 00 53 00   i.....#...A.D.S.

0210	54 00 65 00 73 00 74 00  32 00 2e 00 65 00 78 00   T.e.s.t.2...e.x.

0220	65 00 00 00 00 00 00 00  30 00 00 00 70 00 00 00   e.......0...p...

0230	00 00 00 00 00 00 04 00  54 00 00 00 18 00 01 00   ........T.......

0240	98 2e 01 00 00 00 01 00  b9 95 7d d2 4d 52 cd 01   ..........}.MR..

0250	b9 95 7d d2 4d 52 cd 01  b9 95 7d d2 4d 52 cd 01   ..}.MR....}.MR..

0260	b9 95 7d d2 4d 52 cd 01  00 00 00 00 00 00 00 00   ..}.MR..........

0270	00 00 00 00 00 00 00 00  20 00 00 00 00 00 00 00   ........ .......

0280	09 03 4e 00 6f 00 41 00  44 00 53 00 2e 00 74 00   ..N.o.A.D.S...t.

0290	78 00 74 00 54 00 58 00  40 00 00 00 28 00 00 00   x.t.T.X.@...(...

02a0	00 00 00 00 00 00 05 00  10 00 00 00 18 00 00 00   ................

02b0	59 56 e9 13 80 bc e1 11  8f b6 38 59 f9 d7 1d 3a   YV........8Y...:

02c0	80 00 00 00 48 00 00 00  00 00 18 00 00 00 01 00   ....H...........

02d0	2a 00 00 00 18 00 00 00  54 68 69 73 20 66 69 6c   *.......This fil

02e0	65 20 73 68 6f 75 6c 64  20 62 65 20 72 65 73 69   e should be resi

02f0	64 65 6e 74 2e 20 41 44  53 20 54 65 73 74 69 6e   dent. ADS Testin

0300	67 2e 54 00 65 00 78 00  80 00 00 00 d8 00 00 00   g.T.e.x.........

0310	01 0c 40 00 00 00 0a 00  00 00 00 00 00 00 00 00   ..@.............

0320	3c 04 00 00 00 00 00 00  58 00 00 00 00 00 00 00   <.......X.......

0330	00 d0 43 00 00 00 00 00  fb c5 43 00 00 00 00 00   ..C.......C.....

0340	fb c5 43 00 00 00 00 00  41 00 44 00 53 00 54 00   ..C.....A.D.S.T.

0350	65 00 73 00 74 00 32 00  2e 00 65 00 78 00 65 00   e.s.t.2...e.x.e.

0360	31 01 94 7d 64 31 01 51  13 15 21 02 0b ef 31 04   1..}d1.Q..!...1.

0370	b8 a2 f5 21 08 b9 fb 31  12 0d fe 37 41 15 0a 9a   ...!...1...7A...

0380	6d ff 41 09 14 50 e0 00  31 17 d9 80 2a 41 18 6b   m.A..P..1...*A.k

0390	0f f9 fe 31 01 13 1a 61  31 18 39 fc 11 31 08 68   ...1...a1.9..1.h

03a0	00 22 31 18 f8 d6 43 31  08 a5 41 fe 31 19 d8 52   ."1...C1..A.1..R

03b0	a6 21 07 25 2f 41 1a 16  2f 86 00 31 06 e2 ec d7   .!.%/A../..1....

03c0	31 4e 90 13 28 31 02 8e  9f fe 31 58 7c 75 83 31   1N..(1....1X|u.1

03d0	08 30 2f 0f 32 9d 02 24  b2 6e 00 06 00 00 00 00   .0/.2..$.n......

03e0	ff ff ff ff 82 79 47 11  18 31 21 81 ac a6 31 1f   .....yG..1!...1.

03f0	09 92 1c 00 80 fa ff ff  ff ff ff ff 82 79 09 00   .............y..



Dump of $STANDARD_INFORMATION (1)

0000	10 00 00 00 60 00 00 00  00 00 00 00 00 00 00 00   ....`...........

0010	48 00 00 00 18 00 00 00  b9 95 7d d2 4d 52 cd 01   H.........}.MR..

0020	16 4b e2 16 51 52 cd 01  16 4b e2 16 51 52 cd 01   .K..QR...K..QR..

0030	b9 95 7d d2 4d 52 cd 01  20 00 00 00 00 00 00 00   ..}.MR.. .......

0040	00 00 00 00 00 00 00 00  00 00 00 00 b8 03 00 00   ................

0050	00 00 00 00 00 00 00 00  d0 c4 de b3 00 00 00 00   ................



Dump of $ATTRIBUTE_LIST (1)

0000	20 00 00 00 90 01 00 00  00 00 00 00 00 00 08 00	...............

0010	78 01 00 00 18 00 00 00  10 00 00 00 20 00 00 1a   x........... ...

0020	00 00 00 00 00 00 00 00  69 e3 04 00 00 00 23 00   ........i.....#.

0030	00 00 00 00 02 80 14 00  30 00 00 00 20 00 00 1a   ........0... ...

0040	00 00 00 00 00 00 00 00  69 e3 04 00 00 00 23 00   ........i.....#.

0050	04 00 08 80 fd 01 02 00  40 00 00 00 20 00 00 1a   ........@... ...

0060	00 00 00 00 00 00 00 00  69 e3 04 00 00 00 23 00   ........i.....#.

0070	05 00 17 0d a0 f8 ff ff  80 00 00 00 20 00 00 1a   ............ ...

0080	00 00 00 00 00 00 00 00  69 e3 04 00 00 00 23 00   ........i.....#.

0090	01 00 96 10 a0 f8 ff ff  80 00 00 00 30 00 0b 1a   ............0...

00a0	00 00 00 00 00 00 00 00  64 d7 04 00 00 00 28 00   ........d.....(.

00b0	00 00 41 00 44 00 53 00  54 00 65 00 73 00 74 00   ..A.D.S.T.e.s.t.

00c0	2e 00 65 00 78 00 65 00  80 00 00 00 30 00 0b 1a   ..e.x.e.....0...

00d0	f0 0d 00 00 00 00 00 00  6c e4 04 00 00 00 0b 00   ........l.......

00e0	00 00 41 00 44 00 53 00  54 00 65 00 73 00 74 00   ..A.D.S.T.e.s.t.

00f0	2e 00 65 00 78 00 65 00  80 00 00 00 30 00 0b 1a   ..e.x.e.....0...

0100	24 2c 00 00 00 00 00 00  6d e4 04 00 00 00 06 00   $,......m.......

0110	00 00 41 00 44 00 53 00  54 00 65 00 73 00 74 00   ..A.D.S.T.e.s.t.

0120	2e 00 65 00 78 00 65 00  80 00 00 00 30 00 0b 1a   ..e.x.e.....0...

0130	e1 5f 00 00 00 00 00 00  6e e4 04 00 00 00 06 00   ._......n.......

0140	00 00 41 00 44 00 53 00  54 00 65 00 73 00 74 00   ..A.D.S.T.e.s.t.

0150	2e 00 65 00 78 00 65 00  80 00 00 00 38 00 0c 1a   ..e.x.e.....8...

0160	00 00 00 00 00 00 00 00  69 e3 04 00 00 00 23 00   ........i.....#.

0170	0a 00 41 00 44 00 53 00  54 00 65 00 73 00 74 00   ..A.D.S.T.e.s.t.

0180	32 00 2e 00 65 00 78 00  65 00 00 00 00 00 00 00   2...e.x.e.......



Dump of $FILE_NAME (1)

0000	30 00 00 00 70 00 00 00  00 00 00 00 00 00 04 00   0...p...........

0010	54 00 00 00 18 00 01 00  98 2e 01 00 00 00 01 00   T...............

0020	b9 95 7d d2 4d 52 cd 01  b9 95 7d d2 4d 52 cd 01   ..}.MR....}.MR..

0030	b9 95 7d d2 4d 52 cd 01  b9 95 7d d2 4d 52 cd 01   ..}.MR....}.MR..

0040	00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................

0050	20 00 00 00 00 00 00 00  09 03 4e 00 6f 00 41 00	.........N.o.A.

0060	44 00 53 00 2e 00 74 00  78 00 74 00 54 00 58 00   D.S...t.x.t.T.X.



Dump of $OBJECT_ID (1)

0000	40 00 00 00 28 00 00 00  00 00 00 00 00 00 05 00   @...(...........

0010	10 00 00 00 18 00 00 00  59 56 e9 13 80 bc e1 11   ........YV......

0020	8f b6 38 59 f9 d7 1d 3a							..8Y...:



Dump of $DATA (1)

0000	80 00 00 00 48 00 00 00  00 00 18 00 00 00 01 00   ....H...........

0010	2a 00 00 00 18 00 00 00  54 68 69 73 20 66 69 6c   *.......This fil

0020	65 20 73 68 6f 75 6c 64  20 62 65 20 72 65 73 69   e should be resi

0030	64 65 6e 74 2e 20 41 44  53 20 54 65 73 74 69 6e   dent. ADS Testin

0040	67 2e 54 00 65 00 78 00							g.T.e.x.



Dump of $DATA (2)

0000	80 00 00 00 d8 00 00 00  01 0c 40 00 00 00 0a 00   ..........@.....

0010	00 00 00 00 00 00 00 00  3c 04 00 00 00 00 00 00   ........<.......

0020	58 00 00 00 00 00 00 00  00 d0 43 00 00 00 00 00   X.........C.....

0030	fb c5 43 00 00 00 00 00  fb c5 43 00 00 00 00 00   ..C.......C.....

0040	41 00 44 00 53 00 54 00  65 00 73 00 74 00 32 00   A.D.S.T.e.s.t.2.

0050	2e 00 65 00 78 00 65 00  31 01 94 7d 64 31 01 51   ..e.x.e.1..}d1.Q

0060	13 15 21 02 0b ef 31 04  b8 a2 f5 21 08 b9 fb 31   ..!...1....!...1

0070	12 0d fe 37 41 15 0a 9a  6d ff 41 09 14 50 e0 00   ...7A...m.A..P..

0080	31 17 d9 80 2a 41 18 6b  0f f9 fe 31 01 13 1a 61   1...*A.k...1...a

0090	31 18 39 fc 11 31 08 68  00 22 31 18 f8 d6 43 31   1.9..1.h."1...C1

00a0	08 a5 41 fe 31 19 d8 52  a6 21 07 25 2f 41 1a 16   ..A.1..R.!.%/A..

00b0	2f 86 00 31 06 e2 ec d7  31 4e 90 13 28 31 02 8e   /..1....1N..(1..

00c0	9f fe 31 58 7c 75 83 31  08 30 2f 0f 32 9d 02 24   ..1X|u.1.0/.2..$

00d0	b2 6e 00 06 00 00 00 00							.n......



Found attributes:

$STANDARD_INFORMATION (1)

$ATTRIBUTE_LIST (1)

$FILE_NAME (1)

$OBJECT_ID (1)

$DATA (2)



Record header info:

Offst to update sequence number: 48

Update sequence array size (words): 3

$LogFile sequence number (LSN): 00000002F77ACC9E

Sequence number: 35

Hard link count: 1

Offset to first Attribute: 115

Flags: FILE

Real size of the FILE record: 1000

Allocated size of the FILE record: 1024

File reference to the base FILE record: 0000000000000000

Next Attribute Id: 000B

Number of this MFT Record: 320361

Update Sequence Number (a): 0900

Update Sequence Array (a): 00004711



$STANDARD_INFORMATION:

HEADER_Flags:

CreationTime (CTime): 2012-06-24 21:10:46:101:7529

LastWriteTime (ATime): 2012-06-24 21:34:09:337:0134

ChangeTime (MTime): 2012-06-24 21:34:09:337:0134

LastAccessTime (RTime): 2012-06-24 21:10:46:101:7529

DOS File Permissions: archive

Max Versions: 0

Version Number: 0

Class ID: 0

Owner ID: 0

Security ID: 952

USN: 00000000B3DEC4D0

$FILE_NAME 1:

ParentSequenceNo: 1

CreationTime (CTime): 2012-06-24 21:10:46:101:7529

LastWriteTime (ATime): 2012-06-24 21:10:46:101:7529

ChangeTime (MTime): 2012-06-24 21:10:46:101:7529

LastAccessTime (RTime): 2012-06-24 21:10:46:101:7529

AllocSize: 0

RealSize: 0

Flags: archive

NameLength: 9

NameType: DOS+WIN32

NameSpace: 8

FileName: NoADS.txt

ParentReferenceNo: 77464



$OBJECT_ID:

GUID Object Id: 5956E913-80BC-E111-8FB6-3859F9D71D3A

GUID Birth Volume Id: NOT PRESENT

GUID Birth Object Id: NOT PRESENT

GUID Domain Id: NOT PRESENT



$DATA 1:

Length: 72

Non-resident flag: 00

Name length: 0

Offset to the Name: 24

Flags:

Attribute Id: 0001

Resident - Length of the Attribute: 42

Resident - Offset to the Attribute: 24

Resident - Indexed flag: 0

Resident - Padding: 00

Non-Resident - Starting VCN:

Non-Resident - Last VCN:

Non-Resident - Offset to the Data Runs:

Non-Resident - Compression Unit Size:

Non-Resident - Padding:

Non-Resident - Allocated size of the attribute:

Non-Resident - Real size of the attribute:

Non-Resident - Initialized data size of the stream:

The Attribute's Name:



$DATA 2:

Length: 216

Non-resident flag: 01

Name length: 12

Offset to the Name: 64

Flags:

Attribute Id: 000A

Resident - Length of the Attribute:

Resident - Offset to the Attribute:

Resident - Indexed flag:

Resident - Padding:

Non-Resident - Starting VCN: 0

Non-Resident - Last VCN: 1084

Non-Resident - Offset to the Data Runs: 0

Non-Resident - Compression Unit Size: 0

Non-Resident - Padding: 00000000

Non-Resident - Allocated size of the attribute: 4444160

Non-Resident - Real size of the attribute: 4441595

Non-Resident - Initialized data size of the stream: 4441595

The Attribute's Name: ADSTest2.exe



$ATTRIBUTE_LIST:

Base record: 317284, Start VCN: 0, Type: 80000000, AL Record length: 48, Name: ADSTest.exe, Attrib ID: 0x0000

Base record: 320620, Start VCN: 3568, Type: 80000000, AL Record length: 48, Name: ADSTest.exe, Attrib ID: 0x0000

Base record: 320621, Start VCN: 11300, Type: 80000000, AL Record length: 48, Name: ADSTest.exe, Attrib ID: 0x0000

Base record: 320622, Start VCN: 24545, Type: 80000000, AL Record length: 48, Name: ADSTest.exe, Attrib ID: 0x0000



Isolated attribute list:

0000	10 00 00 00 20 00 00 1a  00 00 00 00 00 00 00 00   .... ...........

0010	69 e3 04 00 00 00 23 00  00 00 00 00 02 80 14 00   i.....#.........

0020	30 00 00 00 20 00 00 1a  00 00 00 00 00 00 00 00   0... ...........

0030	69 e3 04 00 00 00 23 00  04 00 08 80 fd 01 02 00   i.....#.........

0040	40 00 00 00 20 00 00 1a  00 00 00 00 00 00 00 00   @... ...........

0050	69 e3 04 00 00 00 23 00  05 00 17 0d a0 f8 ff ff   i.....#.........

0060	80 00 00 00 20 00 00 1a  00 00 00 00 00 00 00 00   .... ...........

0070	69 e3 04 00 00 00 23 00  01 00 96 10 a0 f8 ff ff   i.....#.........

0080	80 00 00 00 30 00 0b 1a  00 00 00 00 00 00 00 00   ....0...........

0090	64 d7 04 00 00 00 28 00  00 00 41 00 44 00 53 00   d.....(...A.D.S.

00a0	54 00 65 00 73 00 74 00  2e 00 65 00 78 00 65 00   T.e.s.t...e.x.e.

00b0	80 00 00 00 30 00 0b 1a  f0 0d 00 00 00 00 00 00   ....0...........

00c0	6c e4 04 00 00 00 0b 00  00 00 41 00 44 00 53 00   l.........A.D.S.

00d0	54 00 65 00 73 00 74 00  2e 00 65 00 78 00 65 00   T.e.s.t...e.x.e.

00e0	80 00 00 00 30 00 0b 1a  24 2c 00 00 00 00 00 00   ....0...$,......

00f0	6d e4 04 00 00 00 06 00  00 00 41 00 44 00 53 00   m.........A.D.S.

0100	54 00 65 00 73 00 74 00  2e 00 65 00 78 00 65 00   T.e.s.t...e.x.e.

0110	80 00 00 00 30 00 0b 1a  e1 5f 00 00 00 00 00 00   ....0...._......

0120	6e e4 04 00 00 00 06 00  00 00 41 00 44 00 53 00   n.........A.D.S.

0130	54 00 65 00 73 00 74 00  2e 00 65 00 78 00 65 00   T.e.s.t...e.x.e.

0140	80 00 00 00 38 00 0c 1a  00 00 00 00 00 00 00 00   ....8...........

0150	69 e3 04 00 00 00 23 00  0a 00 41 00 44 00 53 00   i.....#...A.D.S.

0160	54 00 65 00 73 00 74 00  32 00 2e 00 65 00 78 00   T.e.s.t.2...e.x.

0170	65 00 00 00 00 00 00 00							e.......

So if you pay attention to the above you see that we have 1 resident file, that have 2 ADS's attached.


The SetMACE utility is already shared here so does not need to be introduced. But I would like to mention that if you play with the code for it, it is very nice to use MFTRCRD to quickly dump the result. These are tools that are very handy when learning NTFS.

What's New in Version v5 (See full changelog)

  • All tools updated to latest version. All latest can be found; https://github.com/jschicht




Other files you may be interested in ..





  • 374 Total Files
  • 13 Total Categories
  • 89 Total Authors
  • 5091604 Total Downloads
  • Discalot Latest File
  • ReTokener Latest Submitter

28 user(s) are online (in the past 3000 minutes)

0 members, 26 guests, 0 anonymous users


Google (2)