Hi Folks,
Yes, yet another MFT parse when they are so many out there
Thus, the idea here is to work on one aspect touched here (file extents and clusters/sectors used by one file) : resident files (small files stored in the MFT and therefore not reported as actually occupying a cluster/sector on disk).
NTFS and MFT are extensively documented out there - parsing the MFT is rather straight forward so the source code I share does no magic and reuses lots of the existing knowledge.
Output is simple for now and more (or less) fields could be added.
For now I have given a particular focus to : resident (true/false) and location (vcn for a non resident file, byte offset for a resident).
Idea it to possibly lead this code/tool to something which may suit this community and/or merge into other existing tools.
Output looks like below.
Command line can take one extra param : a filename to filter upon (mft-win32.exe g: pippo.txt).
Below, one case see that pippo.txt is resident, located at 0xC0009D48 (8 bytes).
>mft-win32.exe g: This is a NTFS disk. Bytes Per Sector : 512 Sectors Per Cluster : 8 Bytes Per Cluster : 4096 Size : 274877840896 bytes Bytes Per File Record : 1024 MFT Location : $C0000000 MFT Data Read : 1024 Bytes MFT Size : 63 Clusters MFT Size : 258048 bytes Number of Records : 252 Tree structure requested : Initializing data container... Scanning for files, Please wait... fileName|filepath|FileSize|FileCreationTime|FileChangeTime|CurrentRecordLocator|resident|location $Tops|g:\$Exten\$RmMetadat\$TxfLo\|100|16/02/2019 19:11:02|16/02/2019 19:11:02|0xC0007C00|True|0xC0007D18 $TxfLog.bl|g:\$Exten\$RmMetadat\$TxfLo\|65536|16/02/2019 19:11:02|24/03/2019 17:53:35|0xC0008000|False|vcn=11 $TxfLogContainer00000000000000000001|g:\$Exten\$RmMetadat\$TxfLo\|10485760|16/02/2019 19:11:02|24/03/2019 17:53:35|0xC00 08400|False|vcn=3028 $TxfLogContainer00000000000000000002|g:\$Exten\$RmMetadat\$TxfLo\|10485760|16/02/2019 19:11:02|16/02/2019 19:14:35|0xC00 08800|False|vcn=3038 desktop.in|g:\$RECYCLE.BIN\S-1-5-21-2427513087-2265021005-1965656450-1001\|129|16/02/2019 19:12:19|16/02/2019 19:12:19|0 xC0009800|True|0xC0009920 pippo.txt|g:\|8|03/04/2019 20:43:23|03/04/2019 20:43:23|0xC0009C00|True|0xC0009D48 $RCBMUME.txt|g:\$RECYCLE.BIN\S-1-5-21-2427513087-2265021005-1965656450-1001\|0|04/04/2019 20:59:11|04/04/2019 20:59:11|0 xC000A000|True|0xC000A128 $ICBMUME.txt|g:\$RECYCLE.BIN\S-1-5-21-2427513087-2265021005-1965656450-1001\|544|04/04/2019 20:59:51|04/04/2019 20:59:51 |0xC000A400|True|0xC000A528 1kb.tx|g:\|1056|06/04/2019 15:32:50|06/04/2019 15:34:11|0xC000A800|False|vcn=37 All File Records Analyzed (252) - Found
Source code and binary is shared on github here.
Regards,
Erwan