PDA

View Full Version : NTFS reversing


WaxfordSqueers
April 16th, 2013, 00:48
Wasn't sure where to post this. It's about trying to undo, or partly undo an NTFS file system that has been written over other data.

First the problem. In a state of brain lock, using Comodo Backup, I started a clone operation on an external drive thinking it was a creating an image of my disk. I caught it almost immediately, swearing at my own stupidity but also at the stupidity of an app which would allow a write process that could eradicate data without so much as a warning. Such apps should have a stupid notification asking, "do you really want to write over the data on this disk, stupid?"

Ok, I'm the dummy but I have given a great deal of thought as to how much data I could recover and how to go about it. Recovering the data is not critical but my reversing curiosity sees this as a good way to dig into an NTFS system. Most apps pertinent to data recovery that I have tried see the new NTFS partition, marked as primary, and presume nothing is wrong. I do have an app that goes deeper and recovers files but for some reason it messes them up while marking them as good. It is chopping of the front ends of the files.

I am at the bottom end of an NTFS learning curve but I have worked a fair amount with FAT16 and FAT32 recovery, so I have experience with manually repairing and removing partitions.

What I'd like to do is manually remove the NTFS partition added by Comodo Backup. I don't think it had time to do any real damage other than cutting off a lot of the data on the disk into an extended partition, now marked as free space. I think I'd have more luck if I could remove the partition and let a data recovery app have a look.

I am posting here in an attempt to prevent re-discovering the wheel. I don't mind putting in the time required for the learning curve but a few words from someone with experience on NTFS systems could point me in the right direction.

The question is which app to use. In the old days I would have used Norton recovery disks so I could read sector by sector from cylinder one out.

Since it was doing a clone and only had a few seconds of action before I stopped it, I am theorizing that a lot of my old data is still intact and lying there as lost clusters. However, if Comodo wrote over the original MFT, it could be a real chore to recover the data.

Does anyone know off hand if MFTs can be recreated, either manually or with a recovery app? Is it a good idea to kill the new partition and go from there?

Elenil
April 16th, 2013, 01:42
hi waxfordSqueers nice to see you around
Recuva Portable for files ? the MFT i dont know did you make a backup file for this ?

could you find out why the baseprocessstart problems apears ? it happend randomly to me

WaxfordSqueers
April 16th, 2013, 02:29
Quote:
[Originally Posted by Elenil;94548]hi waxfordSqueers nice to see you around
Recuva Portable for files ? the MFT i dont know did you make a backup file for this ?

could you find out why the baseprocessstart problems apears ? it happend randomly to me


Elenil...sorry I did not get back sooner. I just sent you a PM.

I have tried Recuva but it does not seem to have really low level features. I had another app loaded that shows the NTFS partition in different colours but I just did a repair instal with win 7 and seem to have lost it. It may have been a system restore earlier that lost it.

I might add a word of warning about boot disks written in Linux. I was using one, from Comodo, and it wrote all over my C:\ partition on win 7. Luckily it only damaged some user files, which I was able to recover, but it messed up other areas of windows.

I have no idea what happened. I allowed it to do a scan of my system from the boot disk and it flagged a file as questionable. According to their manual, you can press on the highlighted error while the scan is going on to get more info about the error. I did that and the scan stopped, with the scanning app disappearing. When I booted back into windows, my program files directories were messed up and a folder in which I keep legacy apps as well.

I just don't trust Linux apps written for Windows, but against my better judgement, I tried one and nearly lost my entire system.

BTW...for anyone interested, you can do a repair install on a Win 7 system but it has to be initiated from within a win 7 installation by hitting setup.exe on the win 7 install disk. You are presented eventually with two choices: one to do an upgrade and another to do a clean install. Pick the upgrade and it will re-install your win 7 installation without harming your existing file system or data.

You may get issues with compatibility and have to reboot to straighten it out. Also, it is better to start setup.exe as admin. I have seen a suggestion to use Vista SP2 compatibility with the admin option checked.

WaxfordSqueers
April 18th, 2013, 15:25
Where's Blabberer? Where's Kayaker...it's too early to be out paddling around unless you have an icebreaker canoe.

Surely someone has an intelligent opinion on this problem, even a dumb opinion will do.

I am quickly arriving at the conclusion that it's not worth the effort to get into NTFS. For one, Microsoft has made the concept of the MFT table, as opposed to the old FAT table, so complex that no one seems to know much about the innards of the system. Like quantum mechanics, NTFS works but no one has any idea why.

For another, any software I have tried just isn't up to the task. Norton Disk Editor wont read USB. I tried another disk editor that claims to be really good, but when they recover an exe file, it has no MZ header. You would think that's the first thing they'd check to be sure they had a valid exe file. I am afraid there are a lot of duffer apps on the net claiming to do things they can't do very well.

On the face of it, NTFS is far too complicated to work. I mean, an MFT file can theoretically expand through a binary tree to take up half the available space on a disk, then it downsizes itself as space is required. Too wild for me. The concept of binary trees is right up there with rocket science and Microsoft can't help themselves when it comes to obfuscating something that should be dead simple. Look at Windows 8. On the other hand, stick with 7, or XP.

I have read a couple of attempts at explaining the MFT structure but even though the explanations are well done, the authors are scratching their heads about what Microsoft means by certain things. I spent months, even tried to learn Russian, so I could repair a disk drive that would not read. A guy's gotta learn that some things are better left alone. Maybe NTFS is one of them. If it crashes, and you don't have a backup, reformat and get on with life.

Aimless
April 18th, 2013, 16:06
I personally use: Stellar Phoenix Windows Recovery. Never disappointed me. Your mileage may vary. What the heck, try it out. Ver 5 is the latest. Cracked black and blue all over the internet. Shouldn't have issues with that.

Have Phun

WaxfordSqueers
April 18th, 2013, 16:49
Quote:
[Originally Posted by Aimless;94557]I personally use: Stellar Phoenix Windows Recovery. Never disappointed me. Your mileage may vary. What the heck, try it out. Ver 5 is the latest. Cracked black and blue all over the internet. Shouldn't have issues with that.

Have Phun


Thanks for the tip, Aimless. I will seek it out. Trouble is, there are not many low level apps that I have seen that understand the MFT process.

I have admitted to being a bonehead for not paying attention when I tried to use a cloning technique for backup, thinking I was making an image. The cloning app ran for only a few seconds before I caught it, but in that time it managed to write something to my drive. It probably wrote over the original MFT and replaced it with the MFT from the drive it was cloning. So, any low level app sees at least two MFT's. One of them returned 4 MFT's, all with different dates, and that seems wrong. I only had a few files on a 500 gig drive, one of them a large backup, and I would think there should have been no more than two MFTs since it was the original file system on the drive.

To complicate matters, the cloning process copied the boot sector of a bootable drive and created a system partition of 100 megs and an active partition of 149 Gigs. I took a chance and had a partition manager remove the partitions to leave me with the full 500 gigs but then Windows complained that the drive needed to be formatted. Low level apps can still read the drive but I think they are confused by the presence of two partitions, or traces of them..

Even at that, using the MFT's it found, the app returned found files that were mainly corrupted. Exes, PDFs and Jpegs had no headers on them, and it was obvious with many of the recovered files that they were simply not even related to the type of file they should be. So, the app was somehow finding what it thought were files but it was not verifying them through their headers, or even a signature.

There was nothing critical on the drive. I am just curious from a reversing POV what can be recovered and what can't.

Something just dawned on me. If it created a 100 meg partition, it probably started writing 100 megs into the drive data. In that case, it will be a mess.

Woodmann
April 18th, 2013, 22:16
Have you tried running the drive manufacturers software on the drive to see what is wrong with it.

Most of the low level tools I use take days to complete the task. The same should be true with
your recovery software. It should take at least a few hours depending on the size of the drive
and the amount of content.

http://www.macrium.com
I saw a post in their forum regarding MFT problems and their product repaired the problem.

Woodmann

WaxfordSqueers
April 18th, 2013, 23:48
Quote:
[Originally Posted by Woodmann;94561]Have you tried running the drive manufacturers software on the drive to see what is wrong with it.

Woodmann


Hey, Woody. The drive is fine it's the NTFS system. All I need is a format and I'm back in business. Before doing so, I was curious about the NTFS system and if I could reverse it after it became corrupted.

Thanks for the link, I have d/l'd a trial to see how low level it gets.

There is a master file, the MFT, that is roughly the equivalent of the old FAT system. They keep a mirror file that points to various parts of the MFT, theoretically enough to recover it.

I am having several problems and I am pondering whether it is worth retrieving any files. As I said in an earlier post, I stupidly started a clone process while my brain was thinking image file. Don't know why the app did not flag me as to the catastrophic nature of the process, which I knew only too well, but I am used to apps that give you a warning, like "Hey, dummy, this can wipe off any data you have on the drive. Are you sure you want to proceed""? I get such warnings all the time in Windoze for really trivial procedures.

One of the problems is the sheer size of the drive...500 gigs. I have done a fair amount of low level with Norton Disk Editor but that was on drives that were not even a gig in size. When you start manually tracing architecture on NTFS with a drive that large, it can be a daunting process. So I'm looking for apps that might automate the process without getting too high level.

The MFT file is a binary tree and it gets pretty convoluted. I have been reading on it for two days now and it's not making much more sense than when I started. I seem to have lost the link between the bottom of the tree and further along, and it is likely impossible to reconstruct it.

iceland
April 19th, 2013, 12:35
I would have given a try on "ufsexplorer". I was impressed by it once..

bilbo
April 19th, 2013, 16:21
Well, if you are not faint of heart and if you prefer C sources to lot of words, I would suggest you Ntfsprogs for Windows - unfortunately rather old, in opposition to the continuously updated counterpart for Linux.
It is a way of playing with NTFS in user-mode rather than in kernel mode. Lot of fun!
Best regards, bilbo

Aimless
April 19th, 2013, 20:38
Quote:
[Originally Posted by bilbo;94564]Well, if you are not faint of heart and if you prefer C sources to lot of words, I would suggest you Ntfsprogs for Windows


Noooooooooo........!!!!!

*FAINTS*


Have Phun

WaxfordSqueers
April 19th, 2013, 23:20
Quote:
[Originally Posted by bilbo;94564]Well, if you are not faint of heart and if you prefer C sources to lot of words, I would suggest you Ntfsprogs for Windows - unfortunately rather old, in opposition to the continuously updated counterpart for Linux.
It is a way of playing with NTFS in user-mode rather than in kernel mode. Lot of fun!
Best regards, bilbo


Thanks, Bilbo, that's more along the lines of what I was looking for. The aim is to re-create the directory and file structure that was there initially. First, by what I understand so far, I have to find the correct $MFTmirr file and see if I can use it to rebuild the original $MFT file in the right place.

I have been working in XP a lot with this chore, mainly because that's where all my reversing stuff is set up, with my beloved softice. So, an older program is not a problem, unless I have to go back to a win 98 OS to do it.

What I am finding with info I have read so far on MFT files is people talking about them rather than explaining the structure. It's like someone talking about a PE header by giving the header structure and not explaining what each entry does. I have a really good layout of an MFT file, and related files like the logfile, but nothing about the structure on an NFTS system and where the the MFT should be located, etc.

Also, many article written about NFTS presume the drive is bootable with a primary partition. My drive is an external drive used only for storage. Unfortunately, through my own stupidity, I allowed a cloning program to write over the first part of my file system, albeit for a few seconds only, so I don't know what should be there on a freshly formatted NFTS system and what should not.

With regard to faintness of heart, I have traced backwards through ring 0 on the Windows OS using softice to find where a mouse driver was accessed in a DirectX application. Or was that stupidity? I am not in your class as a reverser but I don't mind a challenge provided it makes sense and has 'some' logic to it.

WaxfordSqueers
April 19th, 2013, 23:24
Quote:
[Originally Posted by Aimless;94565]Noooooooooo........!!!!! *FAINTS* Have Phun


I am still looking for the app you suggested. It's tougher these days with all the idiots posting malware, especially with antivirus apps using heuristic analysis going bonkers over something like Gmer.

bilbo
April 20th, 2013, 00:38
Quote:
[Originally Posted by Aimless;94565]
*FAINTS*

FEINTS?

WaxfordSqueers
April 21st, 2013, 03:06
Quote:
[Originally Posted by bilbo;94569]FEINTS?


When Curly from the 3 Stooges exclaimed, "Ain't that quaint", Larry admonished him for using poor English, claiming it's not ain't, it's isn't. Curly may have nyuck, nyucked, I don't recall, but he corrected his statement to "Isn't that quisn't"?

By the same token, shouldn't faint be fisn't? And what's with feint? It is described as feigning a blow, usually to make someone commit so you can hook him on the ear. Boxing is so much fun. Why is their a 'g' in feign and none in feint?

BTW, I found a decent freeware app for examining NTFS file systems...Active@ Disk Editor, and the version I have is 2.1. It seems to be patterned on the old Norton Disk Editor but I have not tried editing with it yet. It did help me track down a a large MFT file about 700,000 clusters into my disk but for some reason the drive is not finding it.

The app is laid out in byte offsets from byte one on the partition, like a hex editor, so there is a bit of converting back and forth from hex to decimal, and between sectors and clusters. The app does have drop down windows that allow you to enter values as sectors or clusters. There is a find utility as well but it's slow as molasses.

The confusing thing is that Active@ finds the address of the MFT in cluster 2, which is a mirror file for $MFT. I read the cluster address right off cluster 2 and found the MFT no problem. I don't know if it is intact but apparently chkdsk can use the logfile contained in an MFT or MFTmirror file to reconstruct a bad MFT. I don't want to turn chkdsk loose on anything till I am confident that I have the basic structure intact.

I know better than to be overly optimistic but I am making progress.

Woodmann
April 21st, 2013, 21:56
Quote:
http://www.woodmann.com/forum/images/misc/quote_icon.png Originally Posted by bilbo http://www.woodmann.com/forum/images/buttons/viewpost-right.png ("http://www.woodmann.com/forum/showthread.php?p=94564#post94564")
Well, if you are not faint of heart and if you prefer C sources to lot of words, I would suggest you Ntfsprogs for Windows
Noooooooooo........!!!!!

*FAINTS*



Methinks he means dont use ntfsprogs.

Woodmann

Then again, Larry once asked Moe why his hand was itchy,
Moe replied "because it's dirty" and proceeded to smack him in his face with his own hand.

Think about that a few minutes.

WaxfordSqueers
April 22nd, 2013, 01:21
Quote:
[Originally Posted by Woodmann;94582]Methinks he means dont use ntfsprogs. Woodmann


Nyuck, nyuck.

My reply about feint vs feign was aimed at Bilbo's one word reply titled, "FEINTS". I gathered that aimless had fainted due to the DOS-based ntfsprogs.

I got his point. It's tough enough working on NTFS with a GUI never mind working in the dark. Bilbo even made reference to that.

Microsoft apparently never really supported NTFS at a troubleshooting level. They issued Diskprobe on an NT disk once but it's such a basic application that one might find it almost useless. You can use it to write to disk, however.

The problem, as I mentioned in a previous post is the massive size of modern disks. Using the Active@ disk editor on my 500 gig external drive, moving the scroll bar an iota skips you over several megs of data. It's literally impossible to view the disk manually, as far as finding data. You can page down for an hour and cover barely any data.

The only way I found a backup $MftMirr file was using another app that listed it at a certain cluster. I was then able to use Active@ to view and copy the file.

Another issue is that some of the older apps can't find a USB attached disk, never mind read it. I have Norton Disk editor but it can't even see the drive.

Woodmann
April 22nd, 2013, 20:36
Quote:
Another issue is that some of the older apps can't find a USB attached disk, never mind read it. I have Norton Disk editor but it can't even see the drive.


My single largest gripe about most of those types of soft's.
In this day and age you cant build in some usb support ?
I understand the older prog's but stuff made in the last 5 years should have such a feature.

Woodmann

WaxfordSqueers
April 23rd, 2013, 23:16
Quote:
[Originally Posted by Woodmann;94584]In this day and age you cant build in some usb support ?


I managed to get around one situation with a USB keyboard by going into BIOS and switching a USB selection to legacy mode. Then the keyboard was recognized. Then again, I have a serial DVD/ROM that I have never been able to use on my older desktop because the Intel SATA drivers wont recognize the drive. I should have upgraded the desktop long ago, but hey, it runs at 2 gig and is fast enough for what I want.

I posted on it here years ago. It runs in PIO mode and wont do DMA mode, although the specs claim it will. That's the funny thing about serial drives, some were configured to emulate the PATA scheme whereas some were given the bells and whistles that go with serial, like hot plugging. It's only a $30 drive but it's PATA sister DVD writer works like a charm.

WaxfordSqueers
April 27th, 2013, 15:48
Quote:
[Originally Posted by WaxfordSqueers;94547]I am posting here in an attempt to prevent re-discovering the wheel. I don't mind putting in the time required for the learning curve but a few words from someone with experience on NTFS systems could point me in the right direction.


It's getting pretty bad when I end up talking to myself, as in replying to my own queries. However, Microsoft has exceeded itself with the NTFS file system with sheer abstraction, lack of logic and pure bafflegab. They have tried to incorporate OOP logic into the NTFS file system.

For example, the entire file system is regarded as one huge file, and the various parts are refered to as file attributes. I don't care where you are coming from, that's plain stupid.

A computer file is based on the old paper file system where files were stored in file cabinets. That file cabinet could have one drawer with many files in folders, or it could range over multiple cabinets and drawers with file folders.

Microsoft is calling the file cabinets, and the drawers, one large file. I'd like to know why people are paid good money to think is such a back asswards manner. Why would you call the file system a file? There's one good reason...UNIX...an archaic system that should have been scrapped years ago. DOS was primitive but it made sense. Linux, which is based on Unix, makes sense only to geeks who are willing to persist until they absorb the Unix nonsense.

I mean no offense to anyone who uses Linux but I cannot get into it because it grates me trying to learn concepts that date back to the 1980's, at least. I have moved on from DOS and Unix is just as old, or older.

A hallmark of unix is files with no extensions. Why? In DOS or Windows, you can tell immediately what kind of file you are looking at based on the extension. I may be wrong, but doesn't Unix also declare directories to be files? For some reason, Microsoft is hung up on perpetuating that abstracted file system.

I have come across several pdf files that try to explain NTFS and I will post some links for anyone interested.

http://grayscale-research.org/new/pdfs/NTFS%20forensics.pdf

http://dubeyko.com/development/FileSystems/NTFS/ntfsdoc.pdf

http://www.alex-ionescu.com/NTFS.pdf

If anyone has the time to thumb through these docs I'd appreciate comments on how to decipher even the opening file in $MFT

Here is the $MftMirr file which is a duplicate of the first 4 metafiles in an MFT file. I have figured out the first part up till 2050 but the string at 2050 doesn't make sense yet. Note that $MFT refers to itself at 20F2:

Code:


Offset | 0 1 2 3 4 5 6 7 - 8 9 A B C D E F | ASCII
-----------------------------------------------------------------------------------
0000002000 | 46 49 4C 45 30 00 03 00 E0 22 00 02 00 00 00 00 | FILE0...."......
0000002010 | 01 00 01 00 38 00 01 00 98 01 00 00 00 04 00 00 | ....8...........
0000002020 | 00 00 00 00 00 00 00 00 07 00 00 00 00 00 00 00 | ................
0000002030 | 07 00 00 00 00 00 00 00 10 00 00 00 60 00 00 00 | ............`...
0000002040 | 00 00 18 00 00 00 00 00 48 00 00 00 18 00 00 00 | ........H.......
0000002050 | CF CB C8 CC F3 3B CE 01 CF CB C8 CC F3 3B CE 01 | .....;.......;..
0000002060 | CF CB C8 CC F3 3B CE 01 CF CB C8 CC F3 3B CE 01 | .....;.......;..
0000002070 | 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002080 | 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 | ................
0000002090 | 00 00 00 00 00 00 00 00 30 00 00 00 68 00 00 00 | ........0...h...
00000020A0 | 00 00 18 00 00 00 03 00 4A 00 00 00 18 00 01 00 | ........J.......
00000020B0 | 05 00 00 00 00 00 05 00 CF CB C8 CC F3 3B CE 01 | .............;..
00000020C0 | CF CB C8 CC F3 3B CE 01 CF CB C8 CC F3 3B CE 01 | .....;.......;..
00000020D0 | CF CB C8 CC F3 3B CE 01 00 00 04 00 00 00 00 00 | .....;..........
00000020E0 | 00 00 04 00 00 00 00 00 06 00 00 00 00 00 00 00 | ................
00000020F0 | 04 03 24 00 4D 00 46 00 54 00 00 00 00 00 00 00 | ..$.M.F.T.......
0000002100 | 80 00 00 00 48 00 00 00 01 00 40 00 00 00 01 00 | ....H.....@.....
0000002110 | 00 00 00 00 00 00 00 00 3F 00 00 00 00 00 00 00 | ........?.......
0000002120 | 40 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 | @...............
0000002130 | 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 | ................
0000002140 | 31 40 00 00 0C 00 FF FF B0 00 00 00 48 00 00 00 | 1@..........H...
0000002150 | 01 00 40 00 00 00 06 00 00 00 00 00 00 00 00 00 | ..@.............
0000002160 | 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 | ........@.......
0000002170 | 00 10 00 00 00 00 00 00 20 00 00 00 00 00 00 00 | ........ .......
0000002180 | 20 00 00 00 00 00 00 00 31 01 FF FF 0B 00 00 00 | .......1.......
0000002190 | FF FF FF FF 00 00 00 00 08 10 00 00 00 00 00 00 | ................
00000021A0 | 31 01 FF FF 0B 11 01 FF 00 F7 99 01 80 FA FF FF | 1...............
00000021B0 | FF FF FF FF 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00000021C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00000021D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00000021E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00000021F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 07 00 | ................
0000002200 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002210 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002220 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002230 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002240 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002250 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002260 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002270 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002280 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002290 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00000022A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00000022B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00000022C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00000022D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00000022E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00000022F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002300 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002310 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002320 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002330 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002340 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002350 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002360 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002370 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002380 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002390 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00000023A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00000023B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00000023C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00000023D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00000023E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00000023F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 07 00 | ................
0000002400 | 46 49 4C 45 30 00 03 00 26 23 00 02 00 00 00 00 | FILE0...&#......
0000002410 | 01 00 01 00 38 00 01 00 58 01 00 00 00 04 00 00 | ....8...X.......
0000002420 | 00 00 00 00 00 00 00 00 04 00 00 00 01 00 00 00 | ................
0000002430 | 04 00 00 00 00 00 00 00 10 00 00 00 60 00 00 00 | ............`...
0000002440 | 00 00 18 00 00 00 00 00 48 00 00 00 18 00 00 00 | ........H.......
0000002450 | CF CB C8 CC F3 3B CE 01 CF CB C8 CC F3 3B CE 01 | .....;.......;..
0000002460 | CF CB C8 CC F3 3B CE 01 CF CB C8 CC F3 3B CE 01 | .....;.......;..
0000002470 | 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002480 | 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 | ................
0000002490 | 00 00 00 00 00 00 00 00 30 00 00 00 70 00 00 00 | ........0...p...
00000024A0 | 00 00 18 00 00 00 02 00 52 00 00 00 18 00 01 00 | ........R.......
00000024B0 | 05 00 00 00 00 00 05 00 CF CB C8 CC F3 3B CE 01 | .............;..
00000024C0 | CF CB C8 CC F3 3B CE 01 CF CB C8 CC F3 3B CE 01 | .....;.......;..
00000024D0 | CF CB C8 CC F3 3B CE 01 00 10 00 00 00 00 00 00 | .....;..........
00000024E0 | 00 10 00 00 00 00 00 00 06 00 00 00 00 00 00 00 | ................
00000024F0 | 08 03 24 00 4D 00 46 00 54 00 4D 00 69 00 72 00 | ..$.M.F.T.M.i.r.
0000002500 | 72 00 00 00 00 00 00 00 80 00 00 00 48 00 00 00 | r...........H...
0000002510 | 01 00 40 00 00 00 01 00 00 00 00 00 00 00 00 00 | ..@.............
0000002520 | 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 | ........@.......
0000002530 | 00 10 00 00 00 00 00 00 00 10 00 00 00 00 00 00 | ................
0000002540 | 00 10 00 00 00 00 00 00 11 01 02 00 00 00 00 00 | ................
0000002550 | FF FF FF FF 00 00 00 00 12 00 00 00 01 02 00 00 | ................
0000002560 | 00 00 00 05 20 00 00 00 20 02 00 00 00 00 00 00 | .... ... .......
0000002570 | 80 00 00 00 48 00 00 00 01 00 40 00 00 00 01 00 | ....H.....@.....
0000002580 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002590 | 40 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 | @...............
00000025A0 | 00 10 00 00 00 00 00 00 00 10 00 00 00 00 00 00 | ................
00000025B0 | 11 01 02 00 00 00 00 00 FF FF FF FF 00 00 00 00 | ................
00000025C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00000025D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00000025E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00000025F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 | ................
0000002600 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002610 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002620 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002630 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002640 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002650 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002660 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002670 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002680 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002690 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00000026A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00000026B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00000026C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00000026D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00000026E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00000026F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002700 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002710 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002720 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002730 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002740 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002750 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002760 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002770 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002780 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002790 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00000027A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00000027B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00000027C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00000027D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00000027E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00000027F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 | ................
0000002800 | 46 49 4C 45 30 00 03 00 6C 23 00 02 00 00 00 00 | FILE0...l#......
0000002810 | 02 00 01 00 38 00 01 00 58 01 00 00 00 04 00 00 | ....8...X.......
0000002820 | 00 00 00 00 00 00 00 00 04 00 00 00 02 00 00 00 | ................
0000002830 | 04 00 00 00 00 00 00 00 10 00 00 00 60 00 00 00 | ............`...
0000002840 | 00 00 18 00 00 00 00 00 48 00 00 00 18 00 00 00 | ........H.......
0000002850 | CF CB C8 CC F3 3B CE 01 CF CB C8 CC F3 3B CE 01 | .....;.......;..
0000002860 | CF CB C8 CC F3 3B CE 01 CF CB C8 CC F3 3B CE 01 | .....;.......;..
0000002870 | 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002880 | 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 | ................
0000002890 | 00 00 00 00 00 00 00 00 30 00 00 00 70 00 00 00 | ........0...p...
00000028A0 | 00 00 18 00 00 00 02 00 52 00 00 00 18 00 01 00 | ........R.......
00000028B0 | 05 00 00 00 00 00 05 00 CF CB C8 CC F3 3B CE 01 | .............;..
00000028C0 | CF CB C8 CC F3 3B CE 01 CF CB C8 CC F3 3B CE 01 | .....;.......;..
00000028D0 | CF CB C8 CC F3 3B CE 01 00 00 00 04 00 00 00 00 | .....;..........
00000028E0 | 00 00 00 04 00 00 00 00 06 00 00 00 00 00 00 00 | ................
00000028F0 | 08 03 24 00 4C 00 6F 00 67 00 46 00 69 00 6C 00 | ..$.L.o.g.F.i.l.
0000002900 | 65 00 00 00 00 00 00 00 80 00 00 00 48 00 00 00 | e...........H...
0000002910 | 01 00 40 00 00 00 01 00 00 00 00 00 00 00 00 00 | ..@.............
0000002920 | FF 3F 00 00 00 00 00 00 40 00 00 00 00 00 00 00 | .?......@.......
0000002930 | 00 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 | ................
0000002940 | 00 00 00 04 00 00 00 00 32 00 40 6F 71 0B 00 00 | ........2.@oq...
0000002950 | FF FF FF FF 00 00 00 00 12 00 00 00 01 02 00 00 | ................
0000002960 | 00 00 00 05 20 00 00 00 20 02 00 00 00 00 00 00 | .... ... .......
0000002970 | 80 00 00 00 48 00 00 00 01 00 40 00 00 00 01 00 | ....H.....@.....
0000002980 | 00 00 00 00 00 00 00 00 FF 3F 00 00 00 00 00 00 | .........?......
0000002990 | 40 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 | @...............
00000029A0 | 00 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 | ................
00000029B0 | 32 00 40 6F 71 0B 00 00 FF FF FF FF 00 00 00 00 | 2.@oq...........
00000029C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00000029D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00000029E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00000029F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 | ................
0000002A00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002A10 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002A20 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002A30 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002A40 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002A50 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002A60 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002A70 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002A80 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002A90 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002AA0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002AB0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002AC0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002AD0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002AE0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002AF0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002B00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002B10 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002B20 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002B30 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002B40 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002B50 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002B60 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002B70 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002B80 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002B90 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002BA0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002BB0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002BC0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002BD0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002BE0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002BF0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 | ................
0000002C00 | 46 49 4C 45 30 00 03 00 56 08 00 07 00 00 00 00 | FILE0...V.......
0000002C10 | 03 00 01 00 38 00 01 00 00 02 00 00 00 04 00 00 | ....8...........
0000002C20 | 00 00 00 00 00 00 00 00 07 00 00 00 03 00 00 00 | ................
0000002C30 | 06 00 00 00 00 00 00 00 10 00 00 00 48 00 00 00 | ............H...
0000002C40 | 00 00 18 00 00 00 00 00 30 00 00 00 18 00 00 00 | ........0.......
0000002C50 | CF CB C8 CC F3 3B CE 01 CF CB C8 CC F3 3B CE 01 | .....;.......;..
0000002C60 | CF CB C8 CC F3 3B CE 01 CF CB C8 CC F3 3B CE 01 | .....;.......;..
0000002C70 | 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002C80 | 30 00 00 00 68 00 00 00 00 00 18 00 00 00 01 00 | 0...h...........
0000002C90 | 50 00 00 00 18 00 01 00 05 00 00 00 00 00 05 00 | P...............
0000002CA0 | CF CB C8 CC F3 3B CE 01 CF CB C8 CC F3 3B CE 01 | .....;.......;..
0000002CB0 | CF CB C8 CC F3 3B CE 01 CF CB C8 CC F3 3B CE 01 | .....;.......;..
0000002CC0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002CD0 | 06 00 00 00 00 00 00 00 07 03 24 00 56 00 6F 00 | ..........$.V.o.
0000002CE0 | 6C 00 75 00 6D 00 65 00 40 00 00 00 28 00 00 00 | l.u.m.e.@...(...
0000002CF0 | 00 00 00 00 00 00 06 00 10 00 00 00 18 00 00 00 | ................
0000002D00 | 9E 79 2D AB 22 22 5E 44 BF 60 42 68 B7 C6 68 A2 | .y-.""^D.`Bh..h.
0000002D10 | 50 00 00 00 80 00 00 00 00 00 18 00 00 00 02 00 | P...............
0000002D20 | 64 00 00 00 18 00 00 00 01 00 04 80 48 00 00 00 | d...........H...
0000002D30 | 54 00 00 00 00 00 00 00 14 00 00 00 02 00 34 00 | T.............4.
0000002D40 | 02 00 00 00 00 00 14 00 9F 01 12 00 01 01 00 00 | ................
0000002D50 | 00 00 00 05 12 00 00 00 00 00 18 00 9F 01 12 00 | ................
0000002D60 | 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 | ........ ... ...
0000002D70 | 01 01 00 00 00 00 00 05 12 00 00 00 01 02 00 00 | ................
0000002D80 | 00 00 00 05 20 00 00 00 20 02 00 00 00 00 00 00 | .... ... .......
0000002D90 | 60 00 00 00 28 00 00 00 00 00 18 00 00 00 04 00 | `...(...........
0000002DA0 | 0C 00 00 00 18 00 00 00 4A 00 75 00 6E 00 69 00 | ........J.u.n.i.
0000002DB0 | 6F 00 72 00 00 00 00 00 70 00 00 00 28 00 00 00 | o.r.....p...(...
0000002DC0 | 00 00 18 00 00 00 05 00 0C 00 00 00 18 00 00 00 | ................
0000002DD0 | 00 00 00 00 00 00 00 00 03 01 00 00 00 00 00 00 | ................
0000002DE0 | 80 00 00 00 18 00 00 00 00 00 18 00 00 00 03 00 | ................
0000002DF0 | 00 00 00 00 18 00 00 00 FF FF FF FF 00 00 06 00 | ................
0000002E00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002E10 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002E20 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002E30 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002E40 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002E50 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002E60 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002E70 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002E80 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002E90 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002EA0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002EB0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002EC0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002ED0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002EE0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002EF0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002F00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002F10 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002F20 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002F30 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002F40 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002F50 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002F60 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002F70 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002F80 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002F90 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002FA0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002FB0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002FC0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002FD0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002FE0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0000002FF0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 00 | ................


WaxfordSqueers
April 28th, 2013, 00:37
Quote:
[Originally Posted by WaxfordSqueers;94547]The question is which app to use.


Still talking to myself....

Made some headway. The free app I suggested earlier, Active@ Disk Editor, has a feature where it uses templates to reveal the structure of the $MFT file. When a template is selected, you have to move it to the pertinent code, then it highlights data that aligns with its template. When the alignment is correct, it gives really in-depth information about the MFT file structure.

You can move it over the first sector of an NTFS (or FAT, or Linux) partition and it reveals in-depth info about the boot partition, which also points to the $MFT file and its mirror on NTFS systems. Another template can be pointed to the $MFT file once it is found. Within the MFT, records have a signature called 'FILE', that marks various metafiles. When the template is over any record marked 'FILE', it reveals detailed info about that record.

Came across another free site called sleuthkit ( http://www.sleuthkit.org/ ) and they seem to have interesting tools for examining disk data.

There are apparently two files in the MFT, $UsnJrnl and $LogFile that can be used in conjunction with $MFT to help reconstruct a disk structure damaged by a power fail or malware. It has yet to be seen whether a recovery from stupidity can be pulled off, when a bleary-eyed surveyor uses a clone, thinking it's an image creation.

WaxfordSqueers
April 28th, 2013, 00:56
Quote:
[Originally Posted by WaxfordSqueers;94607]Here is the $MftMirr file which is a duplicate of the first 4 metafiles in an MFT file.


I posted the data (in a code window) a couple of posts back for a $MftMirr file. At offset 2050 and at 20B8, there are 4 quadwords. Those are the times and dates at which the records were written and modified. In between there are attributes that tell you more about the records. It's a bit hairy but it's nice to finally make some sense of it.