8

I am trying to view an NTFS master file table. Each tool I have used so far extracts all of the entries, but puts non standard headers such as STANDARD_INFORMATION_ON instead of say $STANDARD_INFORMATION.

I have tried MFT2CSV, ntfswalk64, and MFT_Parser, but I would like a tool that gives me the MFT in a rawer format, so I can see the entries as they are suppose to be, even if I can't read the timestamps without decoding.

Does anyone know a more accurate and rawer tool?

Improve this question
1

2 Answers 2

Reset to default
4

I wrote a tool that parses $MFT records, and the entire $MFT file. If you're able to read and write Python, it'd be relatively easy to dump out whatever artifacts you want in whatever form you want them in. The code is here:

https://github.com/dkovar/analyzeMFT

Improve this answer
4

Try this PDF: NTFS Forensics: A Programmers View of Raw Filesystem Data Extraction by Jason Medeiros, Grayscale Research 2008

It should answer your questions. Also, you can read your image with a Hex editor... Well, good luck with that.

Improve this answer
3
  • I am looking for a tool that is already built, I understand the structure of NTFS but the tools at hand are not using standard naming conventions for the structure of the MFT
    – Ninja2k
    Commented May 24, 2013 at 21:35
  • 2
    This is more or less a link only answer and as such discouraged. It would be nice if you could describe, what parts of the document to pay attention to and in what ways it helps answer the question. Adding short excerpts from the linked document to your answer is permissible, if it helps you get your point across. Thanks!
    – TildalWave
    Commented May 24, 2013 at 22:37
  • A link to the same document: citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.169.1973
    – Robert Lugg
    Commented Feb 12, 2021 at 22:34

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .