Jump to content











Photo
- - - - -

Yet another MFT parser


  • Please log in to reply
5 replies to this topic

#1 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 2747 posts
  • Location:Nantes - France
  •  
    France

Posted 06 April 2019 - 06:29 PM

Hi Folks,

 

Yes, yet another MFT parse when they are so many out there :)

 

Thus, the idea here is to work on one aspect touched here (file extents and clusters/sectors used by one file) : resident files (small files stored in the MFT and therefore not reported as actually occupying a cluster/sector on disk).

 

NTFS and MFT are extensively documented out there - parsing the MFT is rather straight forward so the source code I share does no magic and reuses lots of the existing knowledge.

 

Output is simple for now and more (or less) fields could be added.

 

For now I have given a particular focus to : resident (true/false) and location (vcn for a non resident file, byte offset for a resident).

Idea it to possibly lead this code/tool to something which may suit this community and/or merge into other existing tools.

 

Output looks like below.

Command line can take one extra param : a filename to filter upon (mft-win32.exe g: pippo.txt).

 

Below, one case see that pippo.txt is resident, located at 0xC0009D48 (8 bytes).

>mft-win32.exe g:
This is a NTFS disk.
Bytes Per Sector : 512
Sectors Per Cluster : 8
Bytes Per Cluster : 4096
Size : 274877840896 bytes
Bytes Per File Record : 1024
MFT Location : $C0000000
MFT Data Read : 1024 Bytes
MFT Size : 63 Clusters
MFT Size : 258048 bytes
Number of Records : 252
Tree structure requested : Initializing data container...
Scanning for files, Please wait...
fileName|filepath|FileSize|FileCreationTime|FileChangeTime|CurrentRecordLocator|resident|location
$Tops|g:\$Exten\$RmMetadat\$TxfLo\|100|16/02/2019 19:11:02|16/02/2019 19:11:02|0xC0007C00|True|0xC0007D18
$TxfLog.bl|g:\$Exten\$RmMetadat\$TxfLo\|65536|16/02/2019 19:11:02|24/03/2019 17:53:35|0xC0008000|False|vcn=11
$TxfLogContainer00000000000000000001|g:\$Exten\$RmMetadat\$TxfLo\|10485760|16/02/2019 19:11:02|24/03/2019 17:53:35|0xC00
08400|False|vcn=3028
$TxfLogContainer00000000000000000002|g:\$Exten\$RmMetadat\$TxfLo\|10485760|16/02/2019 19:11:02|16/02/2019 19:14:35|0xC00
08800|False|vcn=3038
desktop.in|g:\$RECYCLE.BIN\S-1-5-21-2427513087-2265021005-1965656450-1001\|129|16/02/2019 19:12:19|16/02/2019 19:12:19|0
xC0009800|True|0xC0009920
pippo.txt|g:\|8|03/04/2019 20:43:23|03/04/2019 20:43:23|0xC0009C00|True|0xC0009D48
$RCBMUME.txt|g:\$RECYCLE.BIN\S-1-5-21-2427513087-2265021005-1965656450-1001\|0|04/04/2019 20:59:11|04/04/2019 20:59:11|0
xC000A000|True|0xC000A128
$ICBMUME.txt|g:\$RECYCLE.BIN\S-1-5-21-2427513087-2265021005-1965656450-1001\|544|04/04/2019 20:59:51|04/04/2019 20:59:51
|0xC000A400|True|0xC000A528
1kb.tx|g:\|1056|06/04/2019 15:32:50|06/04/2019 15:34:11|0xC000A800|False|vcn=37
All File Records Analyzed (252) - Found

Source code and binary is shared on github here.

 

Regards,
Erwan



#2 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 2747 posts
  • Location:Nantes - France
  •  
    France

Posted 01 May 2019 - 05:01 PM

Brought some additions ...

 

mft-parse x: [a_filename_substring|*] [datarun] [deleted]

 

few examples below.

 

All files on F:

>mft-win32.exe f:
***************************************
This is a NTFS disk.
Bytes Per Sector : 512
Sectors Per Cluster : 8
Bytes Per Cluster : 4096
Size : 535821312 bytes
Bytes Per File Record : 1024
MFT Location : $AA55000
MFT Data Read : 1024 Bytes
MFT Size : 63 Clusters - 258048 bytes
MFT is contiguous
Number of Records : 252
***************************************
Tree structure requested : Initializing data container...
Scanning for files, Please wait...
***************************************
mft_record_no|fileName|filepath|FileSize|FileCreationTime|FileChangeTime|CurrentRecordLocator|resident|location
31|$Tops|f:\$Exten\$RmMetadat\$TxfLo\|100|26/04/2019 19:25:49|26/04/2019 19:25:49|0x0AA5CC00|True|0x0AA5CD18
32|$TxfLog.bl|f:\$Exten\$RmMetadat\$TxfLo\|65536|26/04/2019 19:25:49|26/04/2019 19:25:49|0x0AA5D000|False|N/A
33|$TxfLogContainer00000000000000000001|f:\$Exten\$RmMetadat\$TxfLo\|2097152|26/04/2019 19:25:49|26/04/2019 19:25:49|0x0
AA5D400|False|N/A
34|$TxfLogContainer00000000000000000002|f:\$Exten\$RmMetadat\$TxfLo\|2097152|26/04/2019 19:25:49|26/04/2019 19:25:49|0x0
AA5D800|False|N/A
35|data0.vmdk|f:\|6619136|26/04/2019 19:26:17|27/01/2019 18:42:11|0x0AA5DC00|False|N/A
38|desktop.in|f:\$RECYCLE.BIN\S-1-5-21-2427513087-2265021005-1965656450-1001\|129|26/04/2019 19:26:18|26/04/2019 19:26:1
8|0x0AA5E800|True|0x0AA5E920
39|DISK 2.lz4|f:\|2508825|26/04/2019 20:35:46|26/04/2019 20:35:23|0x0AA5EC00|False|N/A
40|dyn_.vhd|f:\|52473856|26/04/2019 20:36:16|26/04/2019 20:36:03|0x0AA5F000|False|N/A
41|data2.vmdk|f:\|10682368|26/04/2019 20:37:00|21/03/2019 21:05:11|0x0AA5F400|False|N/A
42|dyn.vh|f:\|77688832|26/04/2019 20:38:14|26/04/2019 20:38:14|0x0AA5F800|False|N/A
44|test.txt|f:\test\|7|01/05/2019 18:13:57|01/05/2019 18:13:57|0x0AA60000|True|0x0AA60120
***************************************
All File Records Analyzed (252) in 16 ms

All deleted files on F:

>mft-win32.exe f: * deleted
***************************************
Tree structure requested : Initializing data container...
Scanning for files, Please wait...
***************************************
mft_record_no|fileName|filepath|FileSize|FileCreationTime|FileChangeTime|CurrentRecordLocator|resident|location
46|toto.txt|f:\test\toto\|7|01/05/2019 18:14:36|01/05/2019 18:14:36|0x0AA60800|True|0x0AA60920
***************************************
All File Records Analyzed (252) in 15 ms

All files on F: containing "test" in the filename

>mft-win32.exe f: test
***************************************
mft_record_no|fileName|filepath|FileSize|FileCreationTime|FileChangeTime|CurrentRecordLocator|resident|location
44|test.txt|f:\test\|7|01/05/2019 18:13:57|01/05/2019 18:13:57|0x0AA60000|True|0x0AA60120
***************************************
All File Records Analyzed (252) in 47 ms

Datarun (i.e the list of occupied logical clusters on disk) for disk2.img on F:

>mft-win32.exe e: disk2.img datarun
***************************************
DISK2.img
0: Clusters: 0x0F60 LCN: 0xDFF1B9
1: Clusters: 0x1000 LCN: 0x145AA95
2: Clusters: 0x1000 LCN: 0x145BAF5
3: Clusters: 0x1000 LCN: 0x145CB55
4: Clusters: 0x1209 LCN: 0x182EB45
5: Clusters: 0x184A LCN: 0x17306AF
6: Clusters: 0x3E99 LCN: 0x11D4A75
7: Clusters: 0x42A6 LCN: 0xDD272C
8: Clusters: 0x4704 LCN: 0xDE4F89
9: Clusters: 0x4762 LCN: 0xDD69D7
10: Clusters: 0x53D8 LCN: 0x175BBD0
11: Clusters: 0x32D0 LCN: 0xE00129
***************************************
All File Records Analyzed (32508) in 4281 ms

Datarun for disk2.img on F: after it has been deleted

>mft-win32.exe e: disk2.img datarun deleted
***************************************
DISK2.img
0: Clusters: 0x0F60 LCN: 0xDFF1B9
1: Clusters: 0x1000 LCN: 0x145AA95
2: Clusters: 0x1000 LCN: 0x145BAF5
3: Clusters: 0x1000 LCN: 0x145CB55
4: Clusters: 0x1209 LCN: 0x182EB45
5: Clusters: 0x184A LCN: 0x17306AF
6: Clusters: 0x3E99 LCN: 0x11D4A75
7: Clusters: 0x42A6 LCN: 0xDD272C
8: Clusters: 0x4704 LCN: 0xDE4F89
9: Clusters: 0x4762 LCN: 0xDD69D7
10: Clusters: 0x53D8 LCN: 0x175BBD0
11: Clusters: 0x32D0 LCN: 0xE00129
***************************************
All File Records Analyzed (32508) in 4047 ms

Backup $mft for F: (and later analysed more in depth with MFTDump or MFTECmd)

>mft-win32.exe f: !backup!
***************************************
This is a NTFS disk.
Bytes Per Sector : 512
Sectors Per Cluster : 8
Bytes Per Cluster : 4096
Size : 535821312 bytes
Bytes Per File Record : 1024
MFT Location : $AA55000
MFT Data Read : 1024 Bytes
MFT Size : 63 Clusters - 258048 bytes
MFT is contiguous
Number of Records : 252
mft backuped to mft.dmp


#3 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 14912 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 06 May 2019 - 12:04 PM

IF I may :unsure: .

 

A more logical (to me) syntax would be:

Command [modifiers] targetPath

 

I.e.:

mft-win32.exe f: * deleted

mft-win32.exe e: disk2.img datarun

mft-win32.exe e: disk2.img datarun deleted

 

becoming:

mft-win32.exe /D f:\*

mft-win32.exe /DR e:\disk2.img

mft-win32.exe /D /DR e:\disk2.img

 

Hint ;) :

The Path to the file being the last parameter allows for easy [TAB] autocompletion (standard in command prompt window), rather useful in cases of complex paths.

 

:duff:

Wonko



#4 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 2747 posts
  • Location:Nantes - France
  •  
    France

Posted 06 May 2019 - 07:37 PM

IF I may :unsure: .

 

A more logical (to me) syntax would be:

Command [modifiers] targetPath

 

I.e.:

mft-win32.exe f: * deleted

mft-win32.exe e: disk2.img datarun

mft-win32.exe e: disk2.img datarun deleted

 

becoming:

mft-win32.exe /D f:\*

mft-win32.exe /DR e:\disk2.img

mft-win32.exe /D /DR e:\disk2.img

 

Hint ;) :

The Path to the file being the last parameter allows for easy [TAB] autocompletion (standard in command prompt window), rather useful in cases of complex paths.

 

:duff:

Wonko

 

Ah yes right, much better like that indeed.

 

New syntax.

>mft-win32.exe
mft-parse by erwan2212@gmail.com
mft-parse [/DR] [/DT] x: [a_filename_substring|*]
DR stands for datarun i.e clusters used by a file
DT stands for deleted i.e file clusters can be reused by the system


#5 steve6375

steve6375

    Platinum Member

  • Developer
  • 7027 posts
  • Location:UK
  • Interests:computers, programming (masm,vb6,C,vbs), photography,TV,films,guitars, www.easy2boot.com
  •  
    United Kingdom

Posted 07 May 2019 - 12:36 PM

If you fancy some extra work...

What would be useful for me (and possibly others) is if a utility could report the largest contiguous blocks of free space (i.e. largest run of unused clusters) on an NTFS disk. This would be useful in the case where a user has a highly fragmented NTFS Easy2Boot USB drive and he\she is trying to run WinContig to make a large fragmented file on the USB drive contiguous.

 

A report the top 5 largest contiguous free spaces would be useful, e.g.

Largest areas of free space on Drive F: are:

5.46GB

3.40GB

1.23GB

870MB

450MB

 

It is my understanding that when copying files, NTFS will always copy files to any unused clusters first.

So I guess if there are unused clusters on the drive, then we are looking for the largest continuous run of unused clusters, but if all the clusters on the NTFS drive are 'dirty' (i.e. deleted clusters), then we are looking for the largest  contiguous run of 'dirty' clusters?

 

 

 

 

 



#6 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 2747 posts
  • Location:Nantes - France
  •  
    France

Posted 07 May 2019 - 12:53 PM

If you fancy some extra work...

What would be useful for me (and possibly others) is if a utility could report the largest contiguous blocks of free space (i.e. largest run of unused clusters) on an NTFS disk. This would be useful in the case where a user has a highly fragmented NTFS Easy2Boot USB drive and he\she is trying to run WinContig to make a large fragmented file on the USB drive contiguous.

 

A report the top 5 largest contiguous free spaces would be useful, e.g.

 

It is my understanding that when copying files, NTFS will always copy files to any unused clusters first.

So I guess if there are unused clusters on the drive, then we are looking for the largest continuous run of unused clusters, but if all the clusters on the NTFS drive are 'dirty' (i.e. deleted clusters), then we are looking for the largest  contiguous run of 'dirty' clusters?

 

Yep I could do that rather easily (i have the code ready).

 

Actually, it may be another command tool as I was also thinking of a tool to tell you if a cluster is free or not.

As since I can report used clusters for a file, even if that if deleted, via the MFT parser, it would be good to know if used clusters for a deleted file are actually (re) used or not by the volume.

if yes, you can safely recover the file ... if not, forget about it ...

 

That tool could also report the top X biggest contiguous blocks.


  • steve6375 likes this




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users