8

I am trying to view an NTFS master file table. Each tool I have used so far extracts all of the entries, but puts non standard headers such as STANDARD_INFORMATION_ON instead of say $STANDARD_INFORMATION.

I have tried MFT2CSV, ntfswalk64, and MFT_Parser, but I would like a tool that gives me the MFT in a rawer format, so I can see the entries as they are suppose to be, even if I can't read the timestamps without decoding.

Does anyone know a more accurate and rawer tool?

makerofthings7
  • 50,090
  • 54
  • 250
  • 536
Ninja2k
  • 301
  • 1
  • 4
  • 12
  • maybe MFTRCRD is what you are looking for http://superuser.com/questions/973547/how-can-i-display-all-8-ntfs-timestamps – barlop Sep 15 '15 at 22:03

2 Answers2

4

Try this PDF: NTFS Forensics: A Programmers View of Raw Filesystem Data Extraction by Jason Medeiros, Grayscale Research 2008

It should answer your questions. Also, you can read your image with a Hex editor... Well, good luck with that.

TildalWave
  • 10,801
  • 11
  • 45
  • 84
Chris
  • 161
  • 4
  • I am looking for a tool that is already built, I understand the structure of NTFS but the tools at hand are not using standard naming conventions for the structure of the MFT – Ninja2k May 24 '13 at 21:35
  • 2
    This is more or less a link only answer and as such discouraged. It would be nice if you could describe, what parts of the document to pay attention to and in what ways it helps answer the question. Adding short excerpts from the linked document to your answer is permissible, if it helps you get your point across. Thanks! – TildalWave May 24 '13 at 22:37
  • A link to the same document: http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.169.1973 – Robert Lugg Feb 12 '21 at 22:34
4

I wrote a tool that parses $MFT records, and the entire $MFT file. If you're able to read and write Python, it'd be relatively easy to dump out whatever artifacts you want in whatever form you want them in. The code is here:

https://github.com/dkovar/analyzeMFT

DKovar
  • 56
  • 1