Results 1 to 15 of 22

Thread: NTFS reversing

Hybrid View

  1. #1

    NTFS reversing

    Wasn't sure where to post this. It's about trying to undo, or partly undo an NTFS file system that has been written over other data.

    First the problem. In a state of brain lock, using Comodo Backup, I started a clone operation on an external drive thinking it was a creating an image of my disk. I caught it almost immediately, swearing at my own stupidity but also at the stupidity of an app which would allow a write process that could eradicate data without so much as a warning. Such apps should have a stupid notification asking, "do you really want to write over the data on this disk, stupid?"

    Ok, I'm the dummy but I have given a great deal of thought as to how much data I could recover and how to go about it. Recovering the data is not critical but my reversing curiosity sees this as a good way to dig into an NTFS system. Most apps pertinent to data recovery that I have tried see the new NTFS partition, marked as primary, and presume nothing is wrong. I do have an app that goes deeper and recovers files but for some reason it messes them up while marking them as good. It is chopping of the front ends of the files.

    I am at the bottom end of an NTFS learning curve but I have worked a fair amount with FAT16 and FAT32 recovery, so I have experience with manually repairing and removing partitions.

    What I'd like to do is manually remove the NTFS partition added by Comodo Backup. I don't think it had time to do any real damage other than cutting off a lot of the data on the disk into an extended partition, now marked as free space. I think I'd have more luck if I could remove the partition and let a data recovery app have a look.

    I am posting here in an attempt to prevent re-discovering the wheel. I don't mind putting in the time required for the learning curve but a few words from someone with experience on NTFS systems could point me in the right direction.

    The question is which app to use. In the old days I would have used Norton recovery disks so I could read sector by sector from cylinder one out.

    Since it was doing a clone and only had a few seconds of action before I stopped it, I am theorizing that a lot of my old data is still intact and lying there as lost clusters. However, if Comodo wrote over the original MFT, it could be a real chore to recover the data.

    Does anyone know off hand if MFTs can be recreated, either manually or with a recovery app? Is it a good idea to kill the new partition and go from there?

  2. #2
    hi waxfordSqueers nice to see you around
    Recuva Portable for files ? the MFT i dont know did you make a backup file for this ?

    could you find out why the baseprocessstart problems apears ? it happend randomly to me

  3. #3
    Quote Originally Posted by Elenil View Post
    hi waxfordSqueers nice to see you around
    Recuva Portable for files ? the MFT i dont know did you make a backup file for this ?

    could you find out why the baseprocessstart problems apears ? it happend randomly to me
    Elenil...sorry I did not get back sooner. I just sent you a PM.

    I have tried Recuva but it does not seem to have really low level features. I had another app loaded that shows the NTFS partition in different colours but I just did a repair instal with win 7 and seem to have lost it. It may have been a system restore earlier that lost it.

    I might add a word of warning about boot disks written in Linux. I was using one, from Comodo, and it wrote all over my C:\ partition on win 7. Luckily it only damaged some user files, which I was able to recover, but it messed up other areas of windows.

    I have no idea what happened. I allowed it to do a scan of my system from the boot disk and it flagged a file as questionable. According to their manual, you can press on the highlighted error while the scan is going on to get more info about the error. I did that and the scan stopped, with the scanning app disappearing. When I booted back into windows, my program files directories were messed up and a folder in which I keep legacy apps as well.

    I just don't trust Linux apps written for Windows, but against my better judgement, I tried one and nearly lost my entire system.

    BTW...for anyone interested, you can do a repair install on a Win 7 system but it has to be initiated from within a win 7 installation by hitting setup.exe on the win 7 install disk. You are presented eventually with two choices: one to do an upgrade and another to do a clean install. Pick the upgrade and it will re-install your win 7 installation without harming your existing file system or data.

    You may get issues with compatibility and have to reboot to straighten it out. Also, it is better to start setup.exe as admin. I have seen a suggestion to use Vista SP2 compatibility with the admin option checked.

  4. #4
    Where's Blabberer? Where's Kayaker...it's too early to be out paddling around unless you have an icebreaker canoe.

    Surely someone has an intelligent opinion on this problem, even a dumb opinion will do.

    I am quickly arriving at the conclusion that it's not worth the effort to get into NTFS. For one, Microsoft has made the concept of the MFT table, as opposed to the old FAT table, so complex that no one seems to know much about the innards of the system. Like quantum mechanics, NTFS works but no one has any idea why.

    For another, any software I have tried just isn't up to the task. Norton Disk Editor wont read USB. I tried another disk editor that claims to be really good, but when they recover an exe file, it has no MZ header. You would think that's the first thing they'd check to be sure they had a valid exe file. I am afraid there are a lot of duffer apps on the net claiming to do things they can't do very well.

    On the face of it, NTFS is far too complicated to work. I mean, an MFT file can theoretically expand through a binary tree to take up half the available space on a disk, then it downsizes itself as space is required. Too wild for me. The concept of binary trees is right up there with rocket science and Microsoft can't help themselves when it comes to obfuscating something that should be dead simple. Look at Windows 8. On the other hand, stick with 7, or XP.

    I have read a couple of attempts at explaining the MFT structure but even though the explanations are well done, the authors are scratching their heads about what Microsoft means by certain things. I spent months, even tried to learn Russian, so I could repair a disk drive that would not read. A guy's gotta learn that some things are better left alone. Maybe NTFS is one of them. If it crashes, and you don't have a backup, reformat and get on with life.

  5. #5
    I personally use: Stellar Phoenix Windows Recovery. Never disappointed me. Your mileage may vary. What the heck, try it out. Ver 5 is the latest. Cracked black and blue all over the internet. Shouldn't have issues with that.

    Have Phun
    Blame Microsoft, get l337 !!

  6. #6
    Quote Originally Posted by Aimless View Post
    I personally use: Stellar Phoenix Windows Recovery. Never disappointed me. Your mileage may vary. What the heck, try it out. Ver 5 is the latest. Cracked black and blue all over the internet. Shouldn't have issues with that.

    Have Phun
    Thanks for the tip, Aimless. I will seek it out. Trouble is, there are not many low level apps that I have seen that understand the MFT process.

    I have admitted to being a bonehead for not paying attention when I tried to use a cloning technique for backup, thinking I was making an image. The cloning app ran for only a few seconds before I caught it, but in that time it managed to write something to my drive. It probably wrote over the original MFT and replaced it with the MFT from the drive it was cloning. So, any low level app sees at least two MFT's. One of them returned 4 MFT's, all with different dates, and that seems wrong. I only had a few files on a 500 gig drive, one of them a large backup, and I would think there should have been no more than two MFTs since it was the original file system on the drive.

    To complicate matters, the cloning process copied the boot sector of a bootable drive and created a system partition of 100 megs and an active partition of 149 Gigs. I took a chance and had a partition manager remove the partitions to leave me with the full 500 gigs but then Windows complained that the drive needed to be formatted. Low level apps can still read the drive but I think they are confused by the presence of two partitions, or traces of them..

    Even at that, using the MFT's it found, the app returned found files that were mainly corrupted. Exes, PDFs and Jpegs had no headers on them, and it was obvious with many of the recovered files that they were simply not even related to the type of file they should be. So, the app was somehow finding what it thought were files but it was not verifying them through their headers, or even a signature.

    There was nothing critical on the drive. I am just curious from a reversing POV what can be recovered and what can't.

    Something just dawned on me. If it created a 100 meg partition, it probably started writing 100 megs into the drive data. In that case, it will be a mess.

  7. #7
    Quote Originally Posted by WaxfordSqueers View Post
    I am posting here in an attempt to prevent re-discovering the wheel. I don't mind putting in the time required for the learning curve but a few words from someone with experience on NTFS systems could point me in the right direction.
    It's getting pretty bad when I end up talking to myself, as in replying to my own queries. However, Microsoft has exceeded itself with the NTFS file system with sheer abstraction, lack of logic and pure bafflegab. They have tried to incorporate OOP logic into the NTFS file system.

    For example, the entire file system is regarded as one huge file, and the various parts are refered to as file attributes. I don't care where you are coming from, that's plain stupid.

    A computer file is based on the old paper file system where files were stored in file cabinets. That file cabinet could have one drawer with many files in folders, or it could range over multiple cabinets and drawers with file folders.

    Microsoft is calling the file cabinets, and the drawers, one large file. I'd like to know why people are paid good money to think is such a back asswards manner. Why would you call the file system a file? There's one good reason...UNIX...an archaic system that should have been scrapped years ago. DOS was primitive but it made sense. Linux, which is based on Unix, makes sense only to geeks who are willing to persist until they absorb the Unix nonsense.

    I mean no offense to anyone who uses Linux but I cannot get into it because it grates me trying to learn concepts that date back to the 1980's, at least. I have moved on from DOS and Unix is just as old, or older.

    A hallmark of unix is files with no extensions. Why? In DOS or Windows, you can tell immediately what kind of file you are looking at based on the extension. I may be wrong, but doesn't Unix also declare directories to be files? For some reason, Microsoft is hung up on perpetuating that abstracted file system.

    I have come across several pdf files that try to explain NTFS and I will post some links for anyone interested.

    http://grayscale-research.org/new/pdfs/NTFS%20forensics.pdf

    http://dubeyko.com/development/FileSystems/NTFS/ntfsdoc.pdf

    http://www.alex-ionescu.com/NTFS.pdf

    If anyone has the time to thumb through these docs I'd appreciate comments on how to decipher even the opening file in $MFT

    Here is the $MftMirr file which is a duplicate of the first 4 metafiles in an MFT file. I have figured out the first part up till 2050 but the string at 2050 doesn't make sense yet. Note that $MFT refers to itself at 20F2:

    Code:
        Offset    |  0  1  2  3  4  5  6  7 -  8  9  A  B  C  D  E  F |       ASCII      
    -----------------------------------------------------------------------------------
      0000002000  | 46 49 4C 45 30 00 03 00   E0 22 00 02 00 00 00 00 | FILE0...."......
      0000002010  | 01 00 01 00 38 00 01 00   98 01 00 00 00 04 00 00 | ....8...........
      0000002020  | 00 00 00 00 00 00 00 00   07 00 00 00 00 00 00 00 | ................
      0000002030  | 07 00 00 00 00 00 00 00   10 00 00 00 60 00 00 00 | ............`...
      0000002040  | 00 00 18 00 00 00 00 00   48 00 00 00 18 00 00 00 | ........H.......
      0000002050  | CF CB C8 CC F3 3B CE 01   CF CB C8 CC F3 3B CE 01 | .....;.......;..
      0000002060  | CF CB C8 CC F3 3B CE 01   CF CB C8 CC F3 3B CE 01 | .....;.......;..
      0000002070  | 06 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002080  | 00 00 00 00 00 01 00 00   00 00 00 00 00 00 00 00 | ................
      0000002090  | 00 00 00 00 00 00 00 00   30 00 00 00 68 00 00 00 | ........0...h...
      00000020A0  | 00 00 18 00 00 00 03 00   4A 00 00 00 18 00 01 00 | ........J.......
      00000020B0  | 05 00 00 00 00 00 05 00   CF CB C8 CC F3 3B CE 01 | .............;..
      00000020C0  | CF CB C8 CC F3 3B CE 01   CF CB C8 CC F3 3B CE 01 | .....;.......;..
      00000020D0  | CF CB C8 CC F3 3B CE 01   00 00 04 00 00 00 00 00 | .....;..........
      00000020E0  | 00 00 04 00 00 00 00 00   06 00 00 00 00 00 00 00 | ................
      00000020F0  | 04 03 24 00 4D 00 46 00   54 00 00 00 00 00 00 00 | ..$.M.F.T.......
      0000002100  | 80 00 00 00 48 00 00 00   01 00 40 00 00 00 01 00 | ....H.....@.....
      0000002110  | 00 00 00 00 00 00 00 00   3F 00 00 00 00 00 00 00 | ........?.......
      0000002120  | 40 00 00 00 00 00 00 00   00 00 04 00 00 00 00 00 | @...............
      0000002130  | 00 00 04 00 00 00 00 00   00 00 04 00 00 00 00 00 | ................
      0000002140  | 31 40 00 00 0C 00 FF FF   B0 00 00 00 48 00 00 00 | 1@..........H...
      0000002150  | 01 00 40 00 00 00 06 00   00 00 00 00 00 00 00 00 | ..@.............
      0000002160  | 00 00 00 00 00 00 00 00   40 00 00 00 00 00 00 00 | ........@.......
      0000002170  | 00 10 00 00 00 00 00 00   20 00 00 00 00 00 00 00 | ........ .......
      0000002180  | 20 00 00 00 00 00 00 00   31 01 FF FF 0B 00 00 00 |  .......1.......
      0000002190  | FF FF FF FF 00 00 00 00   08 10 00 00 00 00 00 00 | ................
      00000021A0  | 31 01 FF FF 0B 11 01 FF   00 F7 99 01 80 FA FF FF | 1...............
      00000021B0  | FF FF FF FF 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      00000021C0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      00000021D0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      00000021E0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      00000021F0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 07 00 | ................
      0000002200  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002210  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002220  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002230  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002240  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002250  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002260  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002270  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002280  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002290  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      00000022A0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      00000022B0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      00000022C0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      00000022D0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      00000022E0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      00000022F0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002300  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002310  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002320  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002330  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002340  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002350  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002360  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002370  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002380  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002390  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      00000023A0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      00000023B0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      00000023C0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      00000023D0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      00000023E0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      00000023F0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 07 00 | ................
      0000002400  | 46 49 4C 45 30 00 03 00   26 23 00 02 00 00 00 00 | FILE0...&#......
      0000002410  | 01 00 01 00 38 00 01 00   58 01 00 00 00 04 00 00 | ....8...X.......
      0000002420  | 00 00 00 00 00 00 00 00   04 00 00 00 01 00 00 00 | ................
      0000002430  | 04 00 00 00 00 00 00 00   10 00 00 00 60 00 00 00 | ............`...
      0000002440  | 00 00 18 00 00 00 00 00   48 00 00 00 18 00 00 00 | ........H.......
      0000002450  | CF CB C8 CC F3 3B CE 01   CF CB C8 CC F3 3B CE 01 | .....;.......;..
      0000002460  | CF CB C8 CC F3 3B CE 01   CF CB C8 CC F3 3B CE 01 | .....;.......;..
      0000002470  | 06 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002480  | 00 00 00 00 00 01 00 00   00 00 00 00 00 00 00 00 | ................
      0000002490  | 00 00 00 00 00 00 00 00   30 00 00 00 70 00 00 00 | ........0...p...
      00000024A0  | 00 00 18 00 00 00 02 00   52 00 00 00 18 00 01 00 | ........R.......
      00000024B0  | 05 00 00 00 00 00 05 00   CF CB C8 CC F3 3B CE 01 | .............;..
      00000024C0  | CF CB C8 CC F3 3B CE 01   CF CB C8 CC F3 3B CE 01 | .....;.......;..
      00000024D0  | CF CB C8 CC F3 3B CE 01   00 10 00 00 00 00 00 00 | .....;..........
      00000024E0  | 00 10 00 00 00 00 00 00   06 00 00 00 00 00 00 00 | ................
      00000024F0  | 08 03 24 00 4D 00 46 00   54 00 4D 00 69 00 72 00 | ..$.M.F.T.M.i.r.
      0000002500  | 72 00 00 00 00 00 00 00   80 00 00 00 48 00 00 00 | r...........H...
      0000002510  | 01 00 40 00 00 00 01 00   00 00 00 00 00 00 00 00 | ..@.............
      0000002520  | 00 00 00 00 00 00 00 00   40 00 00 00 00 00 00 00 | ........@.......
      0000002530  | 00 10 00 00 00 00 00 00   00 10 00 00 00 00 00 00 | ................
      0000002540  | 00 10 00 00 00 00 00 00   11 01 02 00 00 00 00 00 | ................
      0000002550  | FF FF FF FF 00 00 00 00   12 00 00 00 01 02 00 00 | ................
      0000002560  | 00 00 00 05 20 00 00 00   20 02 00 00 00 00 00 00 | .... ... .......
      0000002570  | 80 00 00 00 48 00 00 00   01 00 40 00 00 00 01 00 | ....H.....@.....
      0000002580  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002590  | 40 00 00 00 00 00 00 00   00 10 00 00 00 00 00 00 | @...............
      00000025A0  | 00 10 00 00 00 00 00 00   00 10 00 00 00 00 00 00 | ................
      00000025B0  | 11 01 02 00 00 00 00 00   FF FF FF FF 00 00 00 00 | ................
      00000025C0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      00000025D0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      00000025E0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      00000025F0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 04 00 | ................
      0000002600  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002610  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002620  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002630  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002640  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002650  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002660  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002670  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002680  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002690  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      00000026A0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      00000026B0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      00000026C0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      00000026D0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      00000026E0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      00000026F0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002700  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002710  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002720  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002730  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002740  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002750  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002760  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002770  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002780  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002790  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      00000027A0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      00000027B0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      00000027C0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      00000027D0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      00000027E0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      00000027F0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 04 00 | ................
      0000002800  | 46 49 4C 45 30 00 03 00   6C 23 00 02 00 00 00 00 | FILE0...l#......
      0000002810  | 02 00 01 00 38 00 01 00   58 01 00 00 00 04 00 00 | ....8...X.......
      0000002820  | 00 00 00 00 00 00 00 00   04 00 00 00 02 00 00 00 | ................
      0000002830  | 04 00 00 00 00 00 00 00   10 00 00 00 60 00 00 00 | ............`...
      0000002840  | 00 00 18 00 00 00 00 00   48 00 00 00 18 00 00 00 | ........H.......
      0000002850  | CF CB C8 CC F3 3B CE 01   CF CB C8 CC F3 3B CE 01 | .....;.......;..
      0000002860  | CF CB C8 CC F3 3B CE 01   CF CB C8 CC F3 3B CE 01 | .....;.......;..
      0000002870  | 06 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002880  | 00 00 00 00 00 01 00 00   00 00 00 00 00 00 00 00 | ................
      0000002890  | 00 00 00 00 00 00 00 00   30 00 00 00 70 00 00 00 | ........0...p...
      00000028A0  | 00 00 18 00 00 00 02 00   52 00 00 00 18 00 01 00 | ........R.......
      00000028B0  | 05 00 00 00 00 00 05 00   CF CB C8 CC F3 3B CE 01 | .............;..
      00000028C0  | CF CB C8 CC F3 3B CE 01   CF CB C8 CC F3 3B CE 01 | .....;.......;..
      00000028D0  | CF CB C8 CC F3 3B CE 01   00 00 00 04 00 00 00 00 | .....;..........
      00000028E0  | 00 00 00 04 00 00 00 00   06 00 00 00 00 00 00 00 | ................
      00000028F0  | 08 03 24 00 4C 00 6F 00   67 00 46 00 69 00 6C 00 | ..$.L.o.g.F.i.l.
      0000002900  | 65 00 00 00 00 00 00 00   80 00 00 00 48 00 00 00 | e...........H...
      0000002910  | 01 00 40 00 00 00 01 00   00 00 00 00 00 00 00 00 | ..@.............
      0000002920  | FF 3F 00 00 00 00 00 00   40 00 00 00 00 00 00 00 | .?......@.......
      0000002930  | 00 00 00 04 00 00 00 00   00 00 00 04 00 00 00 00 | ................
      0000002940  | 00 00 00 04 00 00 00 00   32 00 40 6F 71 0B 00 00 | ........2.@oq...
      0000002950  | FF FF FF FF 00 00 00 00   12 00 00 00 01 02 00 00 | ................
      0000002960  | 00 00 00 05 20 00 00 00   20 02 00 00 00 00 00 00 | .... ... .......
      0000002970  | 80 00 00 00 48 00 00 00   01 00 40 00 00 00 01 00 | ....H.....@.....
      0000002980  | 00 00 00 00 00 00 00 00   FF 3F 00 00 00 00 00 00 | .........?......
      0000002990  | 40 00 00 00 00 00 00 00   00 00 00 04 00 00 00 00 | @...............
      00000029A0  | 00 00 00 04 00 00 00 00   00 00 00 04 00 00 00 00 | ................
      00000029B0  | 32 00 40 6F 71 0B 00 00   FF FF FF FF 00 00 00 00 | 2.@oq...........
      00000029C0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      00000029D0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      00000029E0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      00000029F0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 04 00 | ................
      0000002A00  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002A10  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002A20  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002A30  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002A40  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002A50  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002A60  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002A70  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002A80  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002A90  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002AA0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002AB0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002AC0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002AD0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002AE0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002AF0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002B00  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002B10  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002B20  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002B30  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002B40  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002B50  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002B60  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002B70  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002B80  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002B90  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002BA0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002BB0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002BC0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002BD0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002BE0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002BF0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 04 00 | ................
      0000002C00  | 46 49 4C 45 30 00 03 00   56 08 00 07 00 00 00 00 | FILE0...V.......
      0000002C10  | 03 00 01 00 38 00 01 00   00 02 00 00 00 04 00 00 | ....8...........
      0000002C20  | 00 00 00 00 00 00 00 00   07 00 00 00 03 00 00 00 | ................
      0000002C30  | 06 00 00 00 00 00 00 00   10 00 00 00 48 00 00 00 | ............H...
      0000002C40  | 00 00 18 00 00 00 00 00   30 00 00 00 18 00 00 00 | ........0.......
      0000002C50  | CF CB C8 CC F3 3B CE 01   CF CB C8 CC F3 3B CE 01 | .....;.......;..
      0000002C60  | CF CB C8 CC F3 3B CE 01   CF CB C8 CC F3 3B CE 01 | .....;.......;..
      0000002C70  | 06 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002C80  | 30 00 00 00 68 00 00 00   00 00 18 00 00 00 01 00 | 0...h...........
      0000002C90  | 50 00 00 00 18 00 01 00   05 00 00 00 00 00 05 00 | P...............
      0000002CA0  | CF CB C8 CC F3 3B CE 01   CF CB C8 CC F3 3B CE 01 | .....;.......;..
      0000002CB0  | CF CB C8 CC F3 3B CE 01   CF CB C8 CC F3 3B CE 01 | .....;.......;..
      0000002CC0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002CD0  | 06 00 00 00 00 00 00 00   07 03 24 00 56 00 6F 00 | ..........$.V.o.
      0000002CE0  | 6C 00 75 00 6D 00 65 00   40 00 00 00 28 00 00 00 | l.u.m.e.@...(...
      0000002CF0  | 00 00 00 00 00 00 06 00   10 00 00 00 18 00 00 00 | ................
      0000002D00  | 9E 79 2D AB 22 22 5E 44   BF 60 42 68 B7 C6 68 A2 | .y-.""^D.`Bh..h.
      0000002D10  | 50 00 00 00 80 00 00 00   00 00 18 00 00 00 02 00 | P...............
      0000002D20  | 64 00 00 00 18 00 00 00   01 00 04 80 48 00 00 00 | d...........H...
      0000002D30  | 54 00 00 00 00 00 00 00   14 00 00 00 02 00 34 00 | T.............4.
      0000002D40  | 02 00 00 00 00 00 14 00   9F 01 12 00 01 01 00 00 | ................
      0000002D50  | 00 00 00 05 12 00 00 00   00 00 18 00 9F 01 12 00 | ................
      0000002D60  | 01 02 00 00 00 00 00 05   20 00 00 00 20 02 00 00 | ........ ... ...
      0000002D70  | 01 01 00 00 00 00 00 05   12 00 00 00 01 02 00 00 | ................
      0000002D80  | 00 00 00 05 20 00 00 00   20 02 00 00 00 00 00 00 | .... ... .......
      0000002D90  | 60 00 00 00 28 00 00 00   00 00 18 00 00 00 04 00 | `...(...........
      0000002DA0  | 0C 00 00 00 18 00 00 00   4A 00 75 00 6E 00 69 00 | ........J.u.n.i.
      0000002DB0  | 6F 00 72 00 00 00 00 00   70 00 00 00 28 00 00 00 | o.r.....p...(...
      0000002DC0  | 00 00 18 00 00 00 05 00   0C 00 00 00 18 00 00 00 | ................
      0000002DD0  | 00 00 00 00 00 00 00 00   03 01 00 00 00 00 00 00 | ................
      0000002DE0  | 80 00 00 00 18 00 00 00   00 00 18 00 00 00 03 00 | ................
      0000002DF0  | 00 00 00 00 18 00 00 00   FF FF FF FF 00 00 06 00 | ................
      0000002E00  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002E10  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002E20  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002E30  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002E40  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002E50  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002E60  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002E70  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002E80  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002E90  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002EA0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002EB0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002EC0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002ED0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002EE0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002EF0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002F00  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002F10  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002F20  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002F30  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002F40  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002F50  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002F60  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002F70  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002F80  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002F90  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002FA0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002FB0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002FC0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002FD0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002FE0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002FF0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 06 00 | ................

  8. #8
    Quote Originally Posted by WaxfordSqueers View Post
    Here is the $MftMirr file which is a duplicate of the first 4 metafiles in an MFT file.
    I posted the data (in a code window) a couple of posts back for a $MftMirr file. At offset 2050 and at 20B8, there are 4 quadwords. Those are the times and dates at which the records were written and modified. In between there are attributes that tell you more about the records. It's a bit hairy but it's nice to finally make some sense of it.

  9. #9
    Quote Originally Posted by WaxfordSqueers View Post
    The question is which app to use.
    Still talking to myself....

    Made some headway. The free app I suggested earlier, Active@ Disk Editor, has a feature where it uses templates to reveal the structure of the $MFT file. When a template is selected, you have to move it to the pertinent code, then it highlights data that aligns with its template. When the alignment is correct, it gives really in-depth information about the MFT file structure.

    You can move it over the first sector of an NTFS (or FAT, or Linux) partition and it reveals in-depth info about the boot partition, which also points to the $MFT file and its mirror on NTFS systems. Another template can be pointed to the $MFT file once it is found. Within the MFT, records have a signature called 'FILE', that marks various metafiles. When the template is over any record marked 'FILE', it reveals detailed info about that record.

    Came across another free site called sleuthkit ( http://www.sleuthkit.org/ ) and they seem to have interesting tools for examining disk data.

    There are apparently two files in the MFT, $UsnJrnl and $LogFile that can be used in conjunction with $MFT to help reconstruct a disk structure damaged by a power fail or malware. It has yet to be seen whether a recovery from stupidity can be pulled off, when a bleary-eyed surveyor uses a clone, thinking it's an image creation.

Similar Threads

  1. NTFS MFT Internals
    By WaxfordSqueers in forum Advanced Reversing and Programming
    Replies: 153
    Last Post: March 26th, 2014, 15:03
  2. problem with NTFS file encryption
    By Hero in forum The Newbie Forum
    Replies: 10
    Last Post: October 22nd, 2004, 03:49
  3. xxx.reversing.net?
    By gadget in forum Off Topic
    Replies: 1
    Last Post: May 7th, 2003, 00:05
  4. New project: RSA-65 analysis on GetDataBack for NTFS
    By Lbolt99 in forum RCE Cryptographics
    Replies: 6
    Last Post: August 1st, 2002, 14:48
  5. Write to NTFS
    By tentakkel in forum Malware Analysis and Unpacking Forum
    Replies: 7
    Last Post: October 8th, 2001, 17:18

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •