Submitter
SUPPORT TOPIC File Information
- Submitted: Jun 27 2012 09:24 PM
- Last Updated: Oct 06 2014 07:28 PM
- File Size: 3.6MB
- Views: 19770
- Downloads: 13720
- Approved by: Brito
- Approved on: 27 June 2012 - 09:33 PM
Previous Versions
Download NTFS Tools collection v5
3
Here is my NTFS tools collection that I've worked on from time to time. It has been hosted at; https://github.com/jschicht and http://code.google.com/p/mft2csv/ since about a year ago. But I would like to share it here as well, since I'm quit satisfied with them now, after the last updates. They are open source, written in AutoIt, and easy to modify or customize. Let me give a short description of each of them:
NTFS File Extracter
Is as the name would imply, a utility to extract files from NTFS volumes. It decodes $MFT and resolves where the data is located on disk, before ripping it out. It is reading directly from physical disk, and will thus bypass filesystem restrictions etc. There are 4 different modes for extraction:
MFT2CSV
Again as the name may imply, it decodes $MFT and dumps the information to a csv. The amount of data is quite substantial, so check it out. You will need an $MFT as input for this tool. Use the above NTFS File Extracter to get it. Then import the finished csv into Excel or similar spreadsheet software, and you will get an amazing report to investigate what is in your Master File Table.
MFTRCRD
This is a tool that falls in between the above 2. It will read your $MFT from physical disk and decode records for individual files. This is actually very nice, because you can quickly get a record decode for specific files, without the need to extract and decode the complete $MFT which may take some time depending on the size of it. Actually MFTRCRD goes even further than mft2csv and can produce far more information about individual files. That means mft2csv is up for an update soon. It is command line and display the output to console. It supports filename+path and $MFT record number (IndexNumber). One switch (param3) is for optimizing decode speed when $ATTRIBUTE_LIST is present for a given file. For most usage, set param3 as attriblist=off. That will produce faster output. Only set param3 as attriblist=on when there is an $ATTRIBUTE_LIST attribute present. Another switch (param4) is for choosing wether to hexdump resolved INDX records from the $INDEX_ALLOCATION attribute.
Attributes currently handled:
Usage: "MFTRCRD param1 param2 param3 param4"
param1 can be a valid file path or an IndexNumber? ($MFT record number)
param2 can be -d or -a:
param4 for specifying wether to hexdump complete INDX records and can be either indxdump=on or indxdump=off. Beware that indxdump=on may generate a significant amount of dump to console for certain directories.
Example for dumping an $MFT decode for boot.ini:
Here's a sample console dump of a file:
The SetMACE utility is already shared here so does not need to be introduced. But I would like to mention that if you play with the code for it, it is very nice to use MFTRCRD to quickly dump the result. These are tools that are very handy when learning NTFS.
NTFS File Extracter
Is as the name would imply, a utility to extract files from NTFS volumes. It decodes $MFT and resolves where the data is located on disk, before ripping it out. It is reading directly from physical disk, and will thus bypass filesystem restrictions etc. There are 4 different modes for extraction:
- Extract $MFT only.
- Extract all NTFS system files.
- Select a file from the volume by browsing to it.
- Type in the record number (IndexNumber) to extract.
MFT2CSV
Again as the name may imply, it decodes $MFT and dumps the information to a csv. The amount of data is quite substantial, so check it out. You will need an $MFT as input for this tool. Use the above NTFS File Extracter to get it. Then import the finished csv into Excel or similar spreadsheet software, and you will get an amazing report to investigate what is in your Master File Table.
MFTRCRD
This is a tool that falls in between the above 2. It will read your $MFT from physical disk and decode records for individual files. This is actually very nice, because you can quickly get a record decode for specific files, without the need to extract and decode the complete $MFT which may take some time depending on the size of it. Actually MFTRCRD goes even further than mft2csv and can produce far more information about individual files. That means mft2csv is up for an update soon. It is command line and display the output to console. It supports filename+path and $MFT record number (IndexNumber). One switch (param3) is for optimizing decode speed when $ATTRIBUTE_LIST is present for a given file. For most usage, set param3 as attriblist=off. That will produce faster output. Only set param3 as attriblist=on when there is an $ATTRIBUTE_LIST attribute present. Another switch (param4) is for choosing wether to hexdump resolved INDX records from the $INDEX_ALLOCATION attribute.
Attributes currently handled:
- $STANDARD_INFORMATION
- $ATTRIBUTE_LIST
- $FILE_NAME
- $OBJECT_ID
- $SECURITY_DESCRIPTOR (just raw hex dump)
- $VOLUME_NAME
- $VOLUME_INFORMATION
- $DATA
- $INDEX_ROOT
- $INDEX_ALLOCATION
- $BITMAP (just raw hex dump)
- $REPARSE_POINT
- $EA_INFORMATION
- $EA
- $LOGGED_UTILITY_STREAM
Usage: "MFTRCRD param1 param2 param3 param4"
param1 can be a valid file path or an IndexNumber? ($MFT record number)
param2 can be -d or -a:
- -d means just decode $MFT entry
- -a same as -d but also dumps the whole $MFT entry to console
param4 for specifying wether to hexdump complete INDX records and can be either indxdump=on or indxdump=off. Beware that indxdump=on may generate a significant amount of dump to console for certain directories.
Example for dumping an $MFT decode for boot.ini:
MFTRCRD C:\boot.ini -d attriblist=off indxdump=offExample for dumping an $MFT decode + a 1024 byte $MFT record dump for $MFT itself from the C: drive:
MFTRCRD C:0 -a attriblist=off indxdump=offExample for dumping an $MFT decode for $LogFile? from the D: drive:
MFTRCRD D:2 -d attriblist=off indxdump=offExample for dumping a speed optimized $MFT decode for an extremely fragmented file with $ATTRIBUTE_LIST present:
MFTRCRD C:\ExtremelyFragmented.bin -d attriblist=on indxdump=offExample for dumping an $MFT record decode + hexdump of its resolved INDX records for the root directory on C:, equivalent to the 'folder' named C:\
MFTRCRD C:5 -d attriblist=off indxdump=onRunning the tool without any parameter will display help information.
Here's a sample console dump of a file:
Starting MFTRCRD by Joakim Schicht Version 1.0.0.6 Target is a File Filesystem on C:\ is NTFS NtQueryInformationFile: Success File IndexNumber: 320361 NtQueryInformationFile: Success BytesPerSector: 512 SectorsPerCluster: 8 TotalSectors: 248444927 HiddenSectors: 1622016 SectorsPerTrack: 63 NumberOfHeads: 255 Searching through $MFT... Dump of $MFT record 0000 46 49 4c 45 30 00 03 00 9e cc 7a f7 02 00 00 00 FILE0.....z..... 0010 23 00 01 00 38 00 01 00 e8 03 00 00 00 04 00 00 #...8........... 0020 00 00 00 00 00 00 00 00 0b 00 00 00 69 e3 04 00 ............i... 0030 09 00 00 00 47 11 00 00 10 00 00 00 60 00 00 00 ....G.......`... 0040 00 00 00 00 00 00 00 00 48 00 00 00 18 00 00 00 ........H....... 0050 b9 95 7d d2 4d 52 cd 01 16 4b e2 16 51 52 cd 01 ..}.MR...K..QR.. 0060 16 4b e2 16 51 52 cd 01 b9 95 7d d2 4d 52 cd 01 .K..QR....}.MR.. 0070 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ............... 0080 00 00 00 00 b8 03 00 00 00 00 00 00 00 00 00 00 ................ 0090 d0 c4 de b3 00 00 00 00 20 00 00 00 90 01 00 00 ........ ....... 00a0 00 00 00 00 00 00 08 00 78 01 00 00 18 00 00 00 ........x....... 00b0 10 00 00 00 20 00 00 1a 00 00 00 00 00 00 00 00 .... ........... 00c0 69 e3 04 00 00 00 23 00 00 00 00 00 02 80 14 00 i.....#......... 00d0 30 00 00 00 20 00 00 1a 00 00 00 00 00 00 00 00 0... ........... 00e0 69 e3 04 00 00 00 23 00 04 00 08 80 fd 01 02 00 i.....#......... 00f0 40 00 00 00 20 00 00 1a 00 00 00 00 00 00 00 00 @... ........... 0100 69 e3 04 00 00 00 23 00 05 00 17 0d a0 f8 ff ff i.....#......... 0110 80 00 00 00 20 00 00 1a 00 00 00 00 00 00 00 00 .... ........... 0120 69 e3 04 00 00 00 23 00 01 00 96 10 a0 f8 ff ff i.....#......... 0130 80 00 00 00 30 00 0b 1a 00 00 00 00 00 00 00 00 ....0........... 0140 64 d7 04 00 00 00 28 00 00 00 41 00 44 00 53 00 d.....(...A.D.S. 0150 54 00 65 00 73 00 74 00 2e 00 65 00 78 00 65 00 T.e.s.t...e.x.e. 0160 80 00 00 00 30 00 0b 1a f0 0d 00 00 00 00 00 00 ....0........... 0170 6c e4 04 00 00 00 0b 00 00 00 41 00 44 00 53 00 l.........A.D.S. 0180 54 00 65 00 73 00 74 00 2e 00 65 00 78 00 65 00 T.e.s.t...e.x.e. 0190 80 00 00 00 30 00 0b 1a 24 2c 00 00 00 00 00 00 ....0...$,...... 01a0 6d e4 04 00 00 00 06 00 00 00 41 00 44 00 53 00 m.........A.D.S. 01b0 54 00 65 00 73 00 74 00 2e 00 65 00 78 00 65 00 T.e.s.t...e.x.e. 01c0 80 00 00 00 30 00 0b 1a e1 5f 00 00 00 00 00 00 ....0...._...... 01d0 6e e4 04 00 00 00 06 00 00 00 41 00 44 00 53 00 n.........A.D.S. 01e0 54 00 65 00 73 00 74 00 2e 00 65 00 78 00 65 00 T.e.s.t...e.x.e. 01f0 80 00 00 00 38 00 0c 1a 00 00 00 00 00 00 09 00 ....8........... 0200 69 e3 04 00 00 00 23 00 0a 00 41 00 44 00 53 00 i.....#...A.D.S. 0210 54 00 65 00 73 00 74 00 32 00 2e 00 65 00 78 00 T.e.s.t.2...e.x. 0220 65 00 00 00 00 00 00 00 30 00 00 00 70 00 00 00 e.......0...p... 0230 00 00 00 00 00 00 04 00 54 00 00 00 18 00 01 00 ........T....... 0240 98 2e 01 00 00 00 01 00 b9 95 7d d2 4d 52 cd 01 ..........}.MR.. 0250 b9 95 7d d2 4d 52 cd 01 b9 95 7d d2 4d 52 cd 01 ..}.MR....}.MR.. 0260 b9 95 7d d2 4d 52 cd 01 00 00 00 00 00 00 00 00 ..}.MR.......... 0270 00 00 00 00 00 00 00 00 20 00 00 00 00 00 00 00 ........ ....... 0280 09 03 4e 00 6f 00 41 00 44 00 53 00 2e 00 74 00 ..N.o.A.D.S...t. 0290 78 00 74 00 54 00 58 00 40 00 00 00 28 00 00 00 x.t.T.X.@...(... 02a0 00 00 00 00 00 00 05 00 10 00 00 00 18 00 00 00 ................ 02b0 59 56 e9 13 80 bc e1 11 8f b6 38 59 f9 d7 1d 3a YV........8Y...: 02c0 80 00 00 00 48 00 00 00 00 00 18 00 00 00 01 00 ....H........... 02d0 2a 00 00 00 18 00 00 00 54 68 69 73 20 66 69 6c *.......This fil 02e0 65 20 73 68 6f 75 6c 64 20 62 65 20 72 65 73 69 e should be resi 02f0 64 65 6e 74 2e 20 41 44 53 20 54 65 73 74 69 6e dent. ADS Testin 0300 67 2e 54 00 65 00 78 00 80 00 00 00 d8 00 00 00 g.T.e.x......... 0310 01 0c 40 00 00 00 0a 00 00 00 00 00 00 00 00 00 ..@............. 0320 3c 04 00 00 00 00 00 00 58 00 00 00 00 00 00 00 <.......X....... 0330 00 d0 43 00 00 00 00 00 fb c5 43 00 00 00 00 00 ..C.......C..... 0340 fb c5 43 00 00 00 00 00 41 00 44 00 53 00 54 00 ..C.....A.D.S.T. 0350 65 00 73 00 74 00 32 00 2e 00 65 00 78 00 65 00 e.s.t.2...e.x.e. 0360 31 01 94 7d 64 31 01 51 13 15 21 02 0b ef 31 04 1..}d1.Q..!...1. 0370 b8 a2 f5 21 08 b9 fb 31 12 0d fe 37 41 15 0a 9a ...!...1...7A... 0380 6d ff 41 09 14 50 e0 00 31 17 d9 80 2a 41 18 6b m.A..P..1...*A.k 0390 0f f9 fe 31 01 13 1a 61 31 18 39 fc 11 31 08 68 ...1...a1.9..1.h 03a0 00 22 31 18 f8 d6 43 31 08 a5 41 fe 31 19 d8 52 ."1...C1..A.1..R 03b0 a6 21 07 25 2f 41 1a 16 2f 86 00 31 06 e2 ec d7 .!.%/A../..1.... 03c0 31 4e 90 13 28 31 02 8e 9f fe 31 58 7c 75 83 31 1N..(1....1X|u.1 03d0 08 30 2f 0f 32 9d 02 24 b2 6e 00 06 00 00 00 00 .0/.2..$.n...... 03e0 ff ff ff ff 82 79 47 11 18 31 21 81 ac a6 31 1f .....yG..1!...1. 03f0 09 92 1c 00 80 fa ff ff ff ff ff ff 82 79 09 00 .............y.. Dump of $STANDARD_INFORMATION (1) 0000 10 00 00 00 60 00 00 00 00 00 00 00 00 00 00 00 ....`........... 0010 48 00 00 00 18 00 00 00 b9 95 7d d2 4d 52 cd 01 H.........}.MR.. 0020 16 4b e2 16 51 52 cd 01 16 4b e2 16 51 52 cd 01 .K..QR...K..QR.. 0030 b9 95 7d d2 4d 52 cd 01 20 00 00 00 00 00 00 00 ..}.MR.. ....... 0040 00 00 00 00 00 00 00 00 00 00 00 00 b8 03 00 00 ................ 0050 00 00 00 00 00 00 00 00 d0 c4 de b3 00 00 00 00 ................ Dump of $ATTRIBUTE_LIST (1) 0000 20 00 00 00 90 01 00 00 00 00 00 00 00 00 08 00 ............... 0010 78 01 00 00 18 00 00 00 10 00 00 00 20 00 00 1a x........... ... 0020 00 00 00 00 00 00 00 00 69 e3 04 00 00 00 23 00 ........i.....#. 0030 00 00 00 00 02 80 14 00 30 00 00 00 20 00 00 1a ........0... ... 0040 00 00 00 00 00 00 00 00 69 e3 04 00 00 00 23 00 ........i.....#. 0050 04 00 08 80 fd 01 02 00 40 00 00 00 20 00 00 1a ........@... ... 0060 00 00 00 00 00 00 00 00 69 e3 04 00 00 00 23 00 ........i.....#. 0070 05 00 17 0d a0 f8 ff ff 80 00 00 00 20 00 00 1a ............ ... 0080 00 00 00 00 00 00 00 00 69 e3 04 00 00 00 23 00 ........i.....#. 0090 01 00 96 10 a0 f8 ff ff 80 00 00 00 30 00 0b 1a ............0... 00a0 00 00 00 00 00 00 00 00 64 d7 04 00 00 00 28 00 ........d.....(. 00b0 00 00 41 00 44 00 53 00 54 00 65 00 73 00 74 00 ..A.D.S.T.e.s.t. 00c0 2e 00 65 00 78 00 65 00 80 00 00 00 30 00 0b 1a ..e.x.e.....0... 00d0 f0 0d 00 00 00 00 00 00 6c e4 04 00 00 00 0b 00 ........l....... 00e0 00 00 41 00 44 00 53 00 54 00 65 00 73 00 74 00 ..A.D.S.T.e.s.t. 00f0 2e 00 65 00 78 00 65 00 80 00 00 00 30 00 0b 1a ..e.x.e.....0... 0100 24 2c 00 00 00 00 00 00 6d e4 04 00 00 00 06 00 $,......m....... 0110 00 00 41 00 44 00 53 00 54 00 65 00 73 00 74 00 ..A.D.S.T.e.s.t. 0120 2e 00 65 00 78 00 65 00 80 00 00 00 30 00 0b 1a ..e.x.e.....0... 0130 e1 5f 00 00 00 00 00 00 6e e4 04 00 00 00 06 00 ._......n....... 0140 00 00 41 00 44 00 53 00 54 00 65 00 73 00 74 00 ..A.D.S.T.e.s.t. 0150 2e 00 65 00 78 00 65 00 80 00 00 00 38 00 0c 1a ..e.x.e.....8... 0160 00 00 00 00 00 00 00 00 69 e3 04 00 00 00 23 00 ........i.....#. 0170 0a 00 41 00 44 00 53 00 54 00 65 00 73 00 74 00 ..A.D.S.T.e.s.t. 0180 32 00 2e 00 65 00 78 00 65 00 00 00 00 00 00 00 2...e.x.e....... Dump of $FILE_NAME (1) 0000 30 00 00 00 70 00 00 00 00 00 00 00 00 00 04 00 0...p........... 0010 54 00 00 00 18 00 01 00 98 2e 01 00 00 00 01 00 T............... 0020 b9 95 7d d2 4d 52 cd 01 b9 95 7d d2 4d 52 cd 01 ..}.MR....}.MR.. 0030 b9 95 7d d2 4d 52 cd 01 b9 95 7d d2 4d 52 cd 01 ..}.MR....}.MR.. 0040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0050 20 00 00 00 00 00 00 00 09 03 4e 00 6f 00 41 00 .........N.o.A. 0060 44 00 53 00 2e 00 74 00 78 00 74 00 54 00 58 00 D.S...t.x.t.T.X. Dump of $OBJECT_ID (1) 0000 40 00 00 00 28 00 00 00 00 00 00 00 00 00 05 00 @...(........... 0010 10 00 00 00 18 00 00 00 59 56 e9 13 80 bc e1 11 ........YV...... 0020 8f b6 38 59 f9 d7 1d 3a ..8Y...: Dump of $DATA (1) 0000 80 00 00 00 48 00 00 00 00 00 18 00 00 00 01 00 ....H........... 0010 2a 00 00 00 18 00 00 00 54 68 69 73 20 66 69 6c *.......This fil 0020 65 20 73 68 6f 75 6c 64 20 62 65 20 72 65 73 69 e should be resi 0030 64 65 6e 74 2e 20 41 44 53 20 54 65 73 74 69 6e dent. ADS Testin 0040 67 2e 54 00 65 00 78 00 g.T.e.x. Dump of $DATA (2) 0000 80 00 00 00 d8 00 00 00 01 0c 40 00 00 00 0a 00 ..........@..... 0010 00 00 00 00 00 00 00 00 3c 04 00 00 00 00 00 00 ........<....... 0020 58 00 00 00 00 00 00 00 00 d0 43 00 00 00 00 00 X.........C..... 0030 fb c5 43 00 00 00 00 00 fb c5 43 00 00 00 00 00 ..C.......C..... 0040 41 00 44 00 53 00 54 00 65 00 73 00 74 00 32 00 A.D.S.T.e.s.t.2. 0050 2e 00 65 00 78 00 65 00 31 01 94 7d 64 31 01 51 ..e.x.e.1..}d1.Q 0060 13 15 21 02 0b ef 31 04 b8 a2 f5 21 08 b9 fb 31 ..!...1....!...1 0070 12 0d fe 37 41 15 0a 9a 6d ff 41 09 14 50 e0 00 ...7A...m.A..P.. 0080 31 17 d9 80 2a 41 18 6b 0f f9 fe 31 01 13 1a 61 1...*A.k...1...a 0090 31 18 39 fc 11 31 08 68 00 22 31 18 f8 d6 43 31 1.9..1.h."1...C1 00a0 08 a5 41 fe 31 19 d8 52 a6 21 07 25 2f 41 1a 16 ..A.1..R.!.%/A.. 00b0 2f 86 00 31 06 e2 ec d7 31 4e 90 13 28 31 02 8e /..1....1N..(1.. 00c0 9f fe 31 58 7c 75 83 31 08 30 2f 0f 32 9d 02 24 ..1X|u.1.0/.2..$ 00d0 b2 6e 00 06 00 00 00 00 .n...... Found attributes: $STANDARD_INFORMATION (1) $ATTRIBUTE_LIST (1) $FILE_NAME (1) $OBJECT_ID (1) $DATA (2) Record header info: Offst to update sequence number: 48 Update sequence array size (words): 3 $LogFile sequence number (LSN): 00000002F77ACC9E Sequence number: 35 Hard link count: 1 Offset to first Attribute: 115 Flags: FILE Real size of the FILE record: 1000 Allocated size of the FILE record: 1024 File reference to the base FILE record: 0000000000000000 Next Attribute Id: 000B Number of this MFT Record: 320361 Update Sequence Number (a): 0900 Update Sequence Array (a): 00004711 $STANDARD_INFORMATION: HEADER_Flags: CreationTime (CTime): 2012-06-24 21:10:46:101:7529 LastWriteTime (ATime): 2012-06-24 21:34:09:337:0134 ChangeTime (MTime): 2012-06-24 21:34:09:337:0134 LastAccessTime (RTime): 2012-06-24 21:10:46:101:7529 DOS File Permissions: archive Max Versions: 0 Version Number: 0 Class ID: 0 Owner ID: 0 Security ID: 952 USN: 00000000B3DEC4D0 $FILE_NAME 1: ParentSequenceNo: 1 CreationTime (CTime): 2012-06-24 21:10:46:101:7529 LastWriteTime (ATime): 2012-06-24 21:10:46:101:7529 ChangeTime (MTime): 2012-06-24 21:10:46:101:7529 LastAccessTime (RTime): 2012-06-24 21:10:46:101:7529 AllocSize: 0 RealSize: 0 Flags: archive NameLength: 9 NameType: DOS+WIN32 NameSpace: 8 FileName: NoADS.txt ParentReferenceNo: 77464 $OBJECT_ID: GUID Object Id: 5956E913-80BC-E111-8FB6-3859F9D71D3A GUID Birth Volume Id: NOT PRESENT GUID Birth Object Id: NOT PRESENT GUID Domain Id: NOT PRESENT $DATA 1: Length: 72 Non-resident flag: 00 Name length: 0 Offset to the Name: 24 Flags: Attribute Id: 0001 Resident - Length of the Attribute: 42 Resident - Offset to the Attribute: 24 Resident - Indexed flag: 0 Resident - Padding: 00 Non-Resident - Starting VCN: Non-Resident - Last VCN: Non-Resident - Offset to the Data Runs: Non-Resident - Compression Unit Size: Non-Resident - Padding: Non-Resident - Allocated size of the attribute: Non-Resident - Real size of the attribute: Non-Resident - Initialized data size of the stream: The Attribute's Name: $DATA 2: Length: 216 Non-resident flag: 01 Name length: 12 Offset to the Name: 64 Flags: Attribute Id: 000A Resident - Length of the Attribute: Resident - Offset to the Attribute: Resident - Indexed flag: Resident - Padding: Non-Resident - Starting VCN: 0 Non-Resident - Last VCN: 1084 Non-Resident - Offset to the Data Runs: 0 Non-Resident - Compression Unit Size: 0 Non-Resident - Padding: 00000000 Non-Resident - Allocated size of the attribute: 4444160 Non-Resident - Real size of the attribute: 4441595 Non-Resident - Initialized data size of the stream: 4441595 The Attribute's Name: ADSTest2.exe $ATTRIBUTE_LIST: Base record: 317284, Start VCN: 0, Type: 80000000, AL Record length: 48, Name: ADSTest.exe, Attrib ID: 0x0000 Base record: 320620, Start VCN: 3568, Type: 80000000, AL Record length: 48, Name: ADSTest.exe, Attrib ID: 0x0000 Base record: 320621, Start VCN: 11300, Type: 80000000, AL Record length: 48, Name: ADSTest.exe, Attrib ID: 0x0000 Base record: 320622, Start VCN: 24545, Type: 80000000, AL Record length: 48, Name: ADSTest.exe, Attrib ID: 0x0000 Isolated attribute list: 0000 10 00 00 00 20 00 00 1a 00 00 00 00 00 00 00 00 .... ........... 0010 69 e3 04 00 00 00 23 00 00 00 00 00 02 80 14 00 i.....#......... 0020 30 00 00 00 20 00 00 1a 00 00 00 00 00 00 00 00 0... ........... 0030 69 e3 04 00 00 00 23 00 04 00 08 80 fd 01 02 00 i.....#......... 0040 40 00 00 00 20 00 00 1a 00 00 00 00 00 00 00 00 @... ........... 0050 69 e3 04 00 00 00 23 00 05 00 17 0d a0 f8 ff ff i.....#......... 0060 80 00 00 00 20 00 00 1a 00 00 00 00 00 00 00 00 .... ........... 0070 69 e3 04 00 00 00 23 00 01 00 96 10 a0 f8 ff ff i.....#......... 0080 80 00 00 00 30 00 0b 1a 00 00 00 00 00 00 00 00 ....0........... 0090 64 d7 04 00 00 00 28 00 00 00 41 00 44 00 53 00 d.....(...A.D.S. 00a0 54 00 65 00 73 00 74 00 2e 00 65 00 78 00 65 00 T.e.s.t...e.x.e. 00b0 80 00 00 00 30 00 0b 1a f0 0d 00 00 00 00 00 00 ....0........... 00c0 6c e4 04 00 00 00 0b 00 00 00 41 00 44 00 53 00 l.........A.D.S. 00d0 54 00 65 00 73 00 74 00 2e 00 65 00 78 00 65 00 T.e.s.t...e.x.e. 00e0 80 00 00 00 30 00 0b 1a 24 2c 00 00 00 00 00 00 ....0...$,...... 00f0 6d e4 04 00 00 00 06 00 00 00 41 00 44 00 53 00 m.........A.D.S. 0100 54 00 65 00 73 00 74 00 2e 00 65 00 78 00 65 00 T.e.s.t...e.x.e. 0110 80 00 00 00 30 00 0b 1a e1 5f 00 00 00 00 00 00 ....0...._...... 0120 6e e4 04 00 00 00 06 00 00 00 41 00 44 00 53 00 n.........A.D.S. 0130 54 00 65 00 73 00 74 00 2e 00 65 00 78 00 65 00 T.e.s.t...e.x.e. 0140 80 00 00 00 38 00 0c 1a 00 00 00 00 00 00 00 00 ....8........... 0150 69 e3 04 00 00 00 23 00 0a 00 41 00 44 00 53 00 i.....#...A.D.S. 0160 54 00 65 00 73 00 74 00 32 00 2e 00 65 00 78 00 T.e.s.t.2...e.x. 0170 65 00 00 00 00 00 00 00 e.......So if you pay attention to the above you see that we have 1 resident file, that have 2 ADS's attached.
The SetMACE utility is already shared here so does not need to be introduced. But I would like to mention that if you play with the code for it, it is very nice to use MFTRCRD to quickly dump the result. These are tools that are very handy when learning NTFS.
What's New in Version v5 (See full changelog)
- All tools updated to latest version. All latest can be found; https://github.com/jschicht
Other files you may be interested in ..
- 430 Total Files
- 13 Total Categories
- 92 Total Authors
- 6880715 Total Downloads
- Rufus Latest File
- Akeo Latest Submitter
150 user(s) are online (in the past 3000 minutes)
0 members, 150 guests, 0 anonymous users