Jump to content

- - - - -


backup ntfs filecopy

  • Please log in to reply
2 replies to this topic

#1 joakim


    Silver Member

  • Team Reboot
  • 912 posts
  • Location:Bergen

Posted 29 May 2013 - 10:11 PM

Posted Image

File Name: RawCopy
File Submitter: joakim
File Submitted: 29 May 2013
File Updated: 16 Dec 2013
File Category: Tools

RawCopy is a file copier for NTFS that uses low level disk reading, and resolves data clusters by parsing the $MFT. It should be able to copy any file off the volume. Even those locked by the system like the registry hives, or the NTFS systemfiles like $MFT and $LogFile etc. It effectively bypass all filesystem security.
  • Source file can be given filepath and filename. Or it can be reference by the IndexNumber (MFT reference number/inode).
  • Output directory must exist.
  • Also there is a an option to also extract all attributes, not just $DATA. This is nice if you want to look at non-resident $Bitmap, $EA, $INDEX_ALLOCATION etc, that may also be fragmented, meaning not many tools will let you extract these.
Example copying C:\file.ext to E:\out:

RawCopy C:\file.ext E:\out
Example copying C:\WINDOWS\system32\config\SAM to F:\reg with all attributes including $DATA

RawCopy C:\WINDOWS\system32\config\SAM F:\reg -AllAttr
Example copying IndexNumber 20112 from C: volume to D:\bak only $DATA attribute

RawCopy C:20112 D:\bak

Click here to download this file

#2 erwan.l


    Platinum Member

  • Developer
  • 2977 posts
  • Location:Nantes - France

Posted 29 May 2013 - 10:40 PM

Hi Joakim, Nice. You beat me by a few days : i was about to release something similar after our recent discussion :) What about deleted files? With little change this tool should be able to recover these? Regards, Erwan

#3 joakim


    Silver Member

  • Team Reboot
  • 912 posts
  • Location:Bergen

Posted 29 May 2013 - 10:50 PM

Yes all the code is there to extract anything that have a valid MFT record that can provide a valid datrun list. Identifying deleted files is a matter of identifying a flag in the record header. This particular tool was never meant to be dealing with deleted files. For that I made other tools.


Maybe you find it interesting, my $LogFile parser. Among other things, it is able reconstruct all datarun information found in the $LogFile. So you can, under certain circumstances, recover files that have their $MFT record overwritten. It has its limitatiosn though. Read more; http://code.google.c...i/LogFileParser

Also tagged with one or more of these keywords: backup, ntfs, filecopy

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users