File Name: RawCopy
File Submitter: joakim
File Submitted: 29 May 2013
File Updated: 16 Dec 2013
File Category: Tools
RawCopy is a file copier for NTFS that uses low level disk reading, and resolves data clusters by parsing the $MFT. It should be able to copy any file off the volume. Even those locked by the system like the registry hives, or the NTFS systemfiles like $MFT and $LogFile etc. It effectively bypass all filesystem security.
- Source file can be given filepath and filename. Or it can be reference by the IndexNumber (MFT reference number/inode).
- Output directory must exist.
- Also there is a an option to also extract all attributes, not just $DATA. This is nice if you want to look at non-resident $Bitmap, $EA, $INDEX_ALLOCATION etc, that may also be fragmented, meaning not many tools will let you extract these.
Example copying C:\file.ext to E:\out:
RawCopy C:\file.ext E:\outExample copying C:\WINDOWS\system32\config\SAM to F:\reg with all attributes including $DATA
RawCopy C:\WINDOWS\system32\config\SAM F:\reg -AllAttrExample copying IndexNumber 20112 from C: volume to D:\bak only $DATA attribute
RawCopy C:20112 D:\bak
Click here to download this file