GitHub - elafonizi/mftf: $MFT parser (from live systems or a copy of the $MFT) and raw file copy utility

Search and copy files and ADS,s parsing the $MFT and reading directly the data from the clusters.

Two timeline formats suported to make the timeline ($SI and $FN times) of a live or offline $MFT ( 30 seconds 900k records):

Option -tl: Date\tTime\t[MACB]\tfilename\trecord\tsize
Option -l2t (Plaso/log2timeline): datetime,timestamp_desc,source,source_long,message,parser,display_name,tag,store_number,store_index

You can filter the output searching from and/or to a date.

The tool can parse the $MFT from a live system, from a mounted (read-only included) logical drive or from a copy of the $MFT.

Deleted files and folders have their path with the prefix "?".

It can copy files by filename or files and ADS,s using the references provided in the search results.

The copy is made by reading the data from the clusters so that you can copy protected system files or files in use. (Imports from "kernel32.dll": CloseHandle, CreateFile, ReadFile, SetFilePointerEx).

The initial delay is due to the creation of a dictionary with full file paths.

Examples:

Sparse chunks are not copied. This is very useful when copying the $Usnjrnl:$J. Here the real size of the $J was 19 Gb but only 470 Mb had content while the rest were sparse chunks. The final file was only 470 Mb in size:

mftf -cp c:$extend$usnjrnl:$j -n d:\data$j.dat

FS: NTFS

Sector size: 512 bytes

Cluster size: 8 sectors

Starting cluster of the MFT: 4 [Offset: 0x4000]

Records: 602,919

Writing run length: 0 [Real file size: 18,988,733,296 bytes].

Sparse chunk not saved: 0 bytes.

Writing run length: 0 [Real file size: 18,988,733,296 bytes].

Sparse chunk not saved: 0 bytes.

Writing run length: 69,926,912 [Real file size: 18,988,733,296 bytes].

Writing run length: 109,260,800 [Real file size: 18,988,733,296 bytes].

Writing run length: 33,017,856 [Real file size: 18,988,733,296 bytes].

...........

In this example the file has 4 $FN attributes and two ADS and the Attribute List points to another record.

mftf -d c -i 623677

Record: 623677 [Attribute List points to records numbers: 623745]
[File]  \\_SMSVC~1.INI
[File]  \\_SMSvcHostPerfCounters_D.ini
[File]  \\_SMSvcHostPerfCounters_D.ini
[File]  \\_SMSvcHostPerfCounters_D.ini
SI[MACB]: 2014/02/18 07:51:58.3286194   2014/02/18 07:51:58.3286194   2014/08/23 12:01:53.1659607   2014/02/18 07:51:58.3286194
FN[MACB]: 2014/02/18 07:51:58.3286194   2014/02/18 07:51:58.3286194   2014/02/18 07:51:58.3286194   2014/02/18 07:51:58.3286194
FN[MACB]: 2014/02/18 07:51:58.3286194   2014/02/18 07:51:58.3286194   2014/02/18 07:51:58.3286194   2014/02/18 07:51:58.3286194
FN[MACB]: 2014/02/18 07:51:58.3286194   2014/02/18 07:51:58.3286194   2014/02/18 07:52:00.2179972   2014/02/18 07:51:58.3286194
FN[MACB]: 2014/02/18 07:51:58.3286194   2014/02/18 07:51:58.3286194   2014/08/23 12:01:53.1503598   2014/02/18 07:51:58.3286194
Reference: 623677:128-1 [Size: 41 bytes|| Size on disk: 0 bytes]
[ADS] Name: hmx33t [Reference: 623677:128-2 || Size: 1069547520 bytes]
[ADS] Name: Zone.Identifier [Reference: 623677:128-3 || Size: 23 bytes]

The same file in the timeline format with dates and times from all the $FN attributes. The dates and times of the ADS are those of the $SI attribute.

mftf -d c -f "_SMSvcHostPerfCounters_D" -t

Filetime,[MACB],filename,record,size
2014/02/18 07:51:58.3286194,SI[MA.B],\\_SMSvcHostPerfCounters_D.ini,623677,41
2014/08/23 12:01:53.1659607,SI[..C.],\\_SMSvcHostPerfCounters_D.ini,623677,41
2014/02/18 07:51:58.3286194,FN[MACB],\\_SMSvcHostPerfCounters_D.ini,623677,41
2014/02/18 07:51:58.3286194,FN[MA.B],\\_SMSvcHostPerfCounters_D.ini,623677,41
2014/02/18 07:52:00.2179972,FN[..C.],\\_SMSvcHostPerfCounters_D.ini,623677,41
2014/08/23 12:01:53.1503598,FN[..C.],\\_SMSvcHostPerfCounters_D.ini,623677,41
2014/02/18 07:51:58.3286194,SI[MA.B],\\_SMSvcHostPerfCounters_D.ini:hmx33t,623677,1069547520
2014/08/23 12:01:53.1659607,SI[..C.],\\_SMSvcHostPerfCounters_D.ini:hmx33t,623677,1069547520
2014/02/18 07:51:58.3286194,SI[MA.B],\\_SMSvcHostPerfCounters_D.ini:Zone.Identifier,623677,23
2014/08/23 12:01:53.1659607,SI[..C.],\\_SMSvcHostPerfCounters_D.ini:Zone.Identifier,623677,23

Inspect resident files:

Record: 36112
[File]  \\BuildDLL.bat
SI[MACB]: 2007-03-10 21:06:30.0000000   2015-04-11 11:08:03.8517259   2015-04-11 11:08:03.8517259   2014-11-02 20:47:35.2054110
FN[MACB]: 2007-03-10 21:06:30.0000000   2015-04-11 11:08:03.8517259   2015-04-11 11:08:03.8517259   2014-11-02 20:47:35.2054110
Reference: 36112:128-1 [Size: 233 bytes|| Size on disk: 0 bytes]

mftf -d d -w 36112

Unit: D:
FS: NTFS
Sector size: 512 bytes
Cluster size: 8 sectors
Starting cluster of the MFT: 786432 [Offset: 0xC0000000]
000 - 46 49 4C 45 30 00 03 00 ED FB 2F 21 00 00 00 00 FILE0...íû/!....
010 - 02 00 01 00 38 00 01 00 20 02 00 00 00 04 00 00 ....8... .......
020 - 00 00 00 00 00 00 00 00 05 00 00 00 10 8D 00 00 ................
030 - 0B 00 72 20 00 00 00 00 10 00 00 00 60 00 00 00 ..r ........`...
040 - 00 00 00 00 00 00 00 00 48 00 00 00 18 00 00 00 ........H.......
050 - 5E 65 1E 3B DE F6 CF 01 00 CF 58 F9 57 63 C7 01 ^e.;_öI..IXùWcÇ.
060 - 0B E2 DE C7 47 74 D0 01 0B E2 DE C7 47 74 D0 01 .â_ÇGtD..â_ÇGtD.
070 - 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ...............
080 - 00 00 00 00 17 01 00 00 00 00 00 00 00 00 00 00 ................
090 - B8 58 41 02 00 00 00 00 30 00 00 00 78 00 00 00 ,XA.....0...x...
0A0 - 00 00 00 00 00 00 04 00 5A 00 00 00 18 00 01 00 ........Z.......
0B0 - 0F 8D 00 00 00 00 02 00 5E 65 1E 3B DE F6 CF 01 ........^e.;_öI.
0C0 - 00 CF 58 F9 57 63 C7 01 0B E2 DE C7 47 74 D0 01 .IXùWcÇ..â_ÇGtD.
0D0 - 0B E2 DE C7 47 74 D0 01 F0 00 00 00 00 00 00 00 .â_ÇGtD.d.......
0E0 - E9 00 00 00 00 00 00 00 20 00 00 00 00 00 00 00 é....... .......
0F0 - 0C 03 42 00 75 00 69 00 6C 00 64 00 44 00 4C 00 ..B.u.i.l.d.D.L.
100 - 4C 00 2E 00 62 00 61 00 74 00 00 00 00 00 00 00 L...b.a.t.......
110 - 80 00 00 00 08 01 00 00 00 00 18 00 00 00 01 00 ?...............
120 - E9 00 00 00 18 00 00 00 40 65 63 68 6F 20 6F 66 é.......@echo of
130 - 66 0D 0A 0D 0A 69 66 20 65 78 69 73 74 20 74 45 f....if exist tE
140 - 4C 6F 63 6B 2E 6F 62 6A 20 64 65 6C 20 74 45 4C Lock.obj del tEL
150 - 6F 63 6B 2E 6F 62 6A 0D 0A 69 66 20 65 78 69 73 ock.obj..if exis
160 - 74 20 74 45 4C 6F 63 6B 2E 64 6C 6C 20 64 65 6C t tELock.dll del
170 - 20 74 45 4C 6F 63 6B 2E 64 6C 6C 0D 0A 0D 0A 5C  tELock.dll....\
180 - 54 61 73 6D 5C 62 69 6E 5C 74 61 73 6D 33 32 20 Tasm\bin\tasm32
190 - 2F 6D 6C 20 2F 6D 20 74 45 4C 6F 63 6B 2E 61 73 /ml /m tELock.as
1A0 - 6D 0D 0A 5C 54 61 73 6D 5C 62 69 6E 5C 74 6C 69 m..\Tasm\bin\tli
1B0 - 6E 6B 33 32 20 2F 54 70 64 20 2F 61 61 20 2F 63 nk32 /Tpd /aa /c
1C0 - 20 2F 56 34 2E 30 20 2F 78 20 74 45 4C 6F 63 6B  /V4.0 /x tELock
1D0 - 2C 74 45 4C 6F 63 6B 2C 2C 63 3A 5C 74 61 73 6D ,tELock,,c:\tasm
1E0 - 5C 6C 69 62 5C 69 6D 70 6F 72 74 33 32 2C 74 45 \lib\import32,tE
1F0 - 4C 6F 63 6B 2E 64 65 66 0D 0A 0D 0A 64 69 0B 00 Lock.def....di..
200 - 74 45 4C 6F 63 6B 2E 2A 0D 0A 70 61 75 73 65 0D tELock.*..pause.
210 - 0A 00 00 00 00 00 00 00 FF FF FF FF 82 79 47 11 ........ÿÿÿÿ,yG.
220 - 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
230 - 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
240 - 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
250 - 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
260 - 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
270 - 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
280 - 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
290 - 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
2A0 - FF FF FF FF 82 79 47 11 00 00 00 00 00 00 00 00 ÿÿÿÿ,yG.........
2B0 - 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
2C0 - 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
2D0 - 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
2E0 - 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
2F0 - 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
300 - 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
310 - 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
320 - 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
330 - 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
340 - 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
350 - 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
360 - 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
370 - 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
380 - 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
390 - 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
3A0 - 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
3B0 - 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
3C0 - 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
3D0 - 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
3E0 - 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
3F0 - 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0B 00 ................

----------------------------------------

Name		Name	Last commit message	Last commit date
Latest commit History 74 Commits
Source/MFTF		Source/MFTF
README.md		README.md
help.txt		help.txt
mftf.exe		mftf.exe

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Source/MFTF

Source/MFTF

README.md

README.md

help.txt

help.txt

mftf.exe

mftf.exe

Repository files navigation

About

Releases

Packages

Languages

elafonizi/mftf

Folders and files

Latest commit

History

Repository files navigation

About

Resources

Stars

Watchers

Forks

Languages