Page 2 of 2 FirstFirst 12
Results 16 to 22 of 22

Thread: NTFS reversing

  1. #16
    http://www.woodmann.com/forum/images/misc/quote_icon.png Originally Posted by bilbo http://www.woodmann.com/forum/images/buttons/viewpost-right.png
    Well, if you are not faint of heart and if you prefer C sources to lot of words, I would suggest you Ntfsprogs for Windows
    Noooooooooo........!!!!!

    *FAINTS*
    Methinks he means dont use ntfsprogs.

    Woodmann

    Then again, Larry once asked Moe why his hand was itchy,
    Moe replied "because it's dirty" and proceeded to smack him in his face with his own hand.

    Think about that a few minutes.
    Learn Or Die.

  2. #17
    Quote Originally Posted by Woodmann View Post
    Methinks he means dont use ntfsprogs. Woodmann
    Nyuck, nyuck.

    My reply about feint vs feign was aimed at Bilbo's one word reply titled, "FEINTS". I gathered that aimless had fainted due to the DOS-based ntfsprogs.

    I got his point. It's tough enough working on NTFS with a GUI never mind working in the dark. Bilbo even made reference to that.

    Microsoft apparently never really supported NTFS at a troubleshooting level. They issued Diskprobe on an NT disk once but it's such a basic application that one might find it almost useless. You can use it to write to disk, however.

    The problem, as I mentioned in a previous post is the massive size of modern disks. Using the Active@ disk editor on my 500 gig external drive, moving the scroll bar an iota skips you over several megs of data. It's literally impossible to view the disk manually, as far as finding data. You can page down for an hour and cover barely any data.

    The only way I found a backup $MftMirr file was using another app that listed it at a certain cluster. I was then able to use Active@ to view and copy the file.

    Another issue is that some of the older apps can't find a USB attached disk, never mind read it. I have Norton Disk editor but it can't even see the drive.

  3. #18
    Another issue is that some of the older apps can't find a USB attached disk, never mind read it. I have Norton Disk editor but it can't even see the drive.
    My single largest gripe about most of those types of soft's.
    In this day and age you cant build in some usb support ?
    I understand the older prog's but stuff made in the last 5 years should have such a feature.

    Woodmann
    Learn Or Die.

  4. #19
    Quote Originally Posted by Woodmann View Post
    In this day and age you cant build in some usb support ?
    I managed to get around one situation with a USB keyboard by going into BIOS and switching a USB selection to legacy mode. Then the keyboard was recognized. Then again, I have a serial DVD/ROM that I have never been able to use on my older desktop because the Intel SATA drivers wont recognize the drive. I should have upgraded the desktop long ago, but hey, it runs at 2 gig and is fast enough for what I want.

    I posted on it here years ago. It runs in PIO mode and wont do DMA mode, although the specs claim it will. That's the funny thing about serial drives, some were configured to emulate the PATA scheme whereas some were given the bells and whistles that go with serial, like hot plugging. It's only a $30 drive but it's PATA sister DVD writer works like a charm.

  5. #20
    Quote Originally Posted by WaxfordSqueers View Post
    I am posting here in an attempt to prevent re-discovering the wheel. I don't mind putting in the time required for the learning curve but a few words from someone with experience on NTFS systems could point me in the right direction.
    It's getting pretty bad when I end up talking to myself, as in replying to my own queries. However, Microsoft has exceeded itself with the NTFS file system with sheer abstraction, lack of logic and pure bafflegab. They have tried to incorporate OOP logic into the NTFS file system.

    For example, the entire file system is regarded as one huge file, and the various parts are refered to as file attributes. I don't care where you are coming from, that's plain stupid.

    A computer file is based on the old paper file system where files were stored in file cabinets. That file cabinet could have one drawer with many files in folders, or it could range over multiple cabinets and drawers with file folders.

    Microsoft is calling the file cabinets, and the drawers, one large file. I'd like to know why people are paid good money to think is such a back asswards manner. Why would you call the file system a file? There's one good reason...UNIX...an archaic system that should have been scrapped years ago. DOS was primitive but it made sense. Linux, which is based on Unix, makes sense only to geeks who are willing to persist until they absorb the Unix nonsense.

    I mean no offense to anyone who uses Linux but I cannot get into it because it grates me trying to learn concepts that date back to the 1980's, at least. I have moved on from DOS and Unix is just as old, or older.

    A hallmark of unix is files with no extensions. Why? In DOS or Windows, you can tell immediately what kind of file you are looking at based on the extension. I may be wrong, but doesn't Unix also declare directories to be files? For some reason, Microsoft is hung up on perpetuating that abstracted file system.

    I have come across several pdf files that try to explain NTFS and I will post some links for anyone interested.

    http://grayscale-research.org/new/pdfs/NTFS%20forensics.pdf

    http://dubeyko.com/development/FileSystems/NTFS/ntfsdoc.pdf

    http://www.alex-ionescu.com/NTFS.pdf

    If anyone has the time to thumb through these docs I'd appreciate comments on how to decipher even the opening file in $MFT

    Here is the $MftMirr file which is a duplicate of the first 4 metafiles in an MFT file. I have figured out the first part up till 2050 but the string at 2050 doesn't make sense yet. Note that $MFT refers to itself at 20F2:

    Code:
        Offset    |  0  1  2  3  4  5  6  7 -  8  9  A  B  C  D  E  F |       ASCII      
    -----------------------------------------------------------------------------------
      0000002000  | 46 49 4C 45 30 00 03 00   E0 22 00 02 00 00 00 00 | FILE0...."......
      0000002010  | 01 00 01 00 38 00 01 00   98 01 00 00 00 04 00 00 | ....8...........
      0000002020  | 00 00 00 00 00 00 00 00   07 00 00 00 00 00 00 00 | ................
      0000002030  | 07 00 00 00 00 00 00 00   10 00 00 00 60 00 00 00 | ............`...
      0000002040  | 00 00 18 00 00 00 00 00   48 00 00 00 18 00 00 00 | ........H.......
      0000002050  | CF CB C8 CC F3 3B CE 01   CF CB C8 CC F3 3B CE 01 | .....;.......;..
      0000002060  | CF CB C8 CC F3 3B CE 01   CF CB C8 CC F3 3B CE 01 | .....;.......;..
      0000002070  | 06 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002080  | 00 00 00 00 00 01 00 00   00 00 00 00 00 00 00 00 | ................
      0000002090  | 00 00 00 00 00 00 00 00   30 00 00 00 68 00 00 00 | ........0...h...
      00000020A0  | 00 00 18 00 00 00 03 00   4A 00 00 00 18 00 01 00 | ........J.......
      00000020B0  | 05 00 00 00 00 00 05 00   CF CB C8 CC F3 3B CE 01 | .............;..
      00000020C0  | CF CB C8 CC F3 3B CE 01   CF CB C8 CC F3 3B CE 01 | .....;.......;..
      00000020D0  | CF CB C8 CC F3 3B CE 01   00 00 04 00 00 00 00 00 | .....;..........
      00000020E0  | 00 00 04 00 00 00 00 00   06 00 00 00 00 00 00 00 | ................
      00000020F0  | 04 03 24 00 4D 00 46 00   54 00 00 00 00 00 00 00 | ..$.M.F.T.......
      0000002100  | 80 00 00 00 48 00 00 00   01 00 40 00 00 00 01 00 | ....H.....@.....
      0000002110  | 00 00 00 00 00 00 00 00   3F 00 00 00 00 00 00 00 | ........?.......
      0000002120  | 40 00 00 00 00 00 00 00   00 00 04 00 00 00 00 00 | @...............
      0000002130  | 00 00 04 00 00 00 00 00   00 00 04 00 00 00 00 00 | ................
      0000002140  | 31 40 00 00 0C 00 FF FF   B0 00 00 00 48 00 00 00 | 1@..........H...
      0000002150  | 01 00 40 00 00 00 06 00   00 00 00 00 00 00 00 00 | ..@.............
      0000002160  | 00 00 00 00 00 00 00 00   40 00 00 00 00 00 00 00 | ........@.......
      0000002170  | 00 10 00 00 00 00 00 00   20 00 00 00 00 00 00 00 | ........ .......
      0000002180  | 20 00 00 00 00 00 00 00   31 01 FF FF 0B 00 00 00 |  .......1.......
      0000002190  | FF FF FF FF 00 00 00 00   08 10 00 00 00 00 00 00 | ................
      00000021A0  | 31 01 FF FF 0B 11 01 FF   00 F7 99 01 80 FA FF FF | 1...............
      00000021B0  | FF FF FF FF 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      00000021C0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      00000021D0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      00000021E0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      00000021F0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 07 00 | ................
      0000002200  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002210  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002220  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002230  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002240  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002250  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002260  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002270  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002280  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002290  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      00000022A0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      00000022B0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      00000022C0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      00000022D0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      00000022E0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      00000022F0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002300  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002310  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002320  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002330  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002340  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002350  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002360  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002370  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002380  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002390  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      00000023A0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      00000023B0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      00000023C0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      00000023D0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      00000023E0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      00000023F0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 07 00 | ................
      0000002400  | 46 49 4C 45 30 00 03 00   26 23 00 02 00 00 00 00 | FILE0...&#......
      0000002410  | 01 00 01 00 38 00 01 00   58 01 00 00 00 04 00 00 | ....8...X.......
      0000002420  | 00 00 00 00 00 00 00 00   04 00 00 00 01 00 00 00 | ................
      0000002430  | 04 00 00 00 00 00 00 00   10 00 00 00 60 00 00 00 | ............`...
      0000002440  | 00 00 18 00 00 00 00 00   48 00 00 00 18 00 00 00 | ........H.......
      0000002450  | CF CB C8 CC F3 3B CE 01   CF CB C8 CC F3 3B CE 01 | .....;.......;..
      0000002460  | CF CB C8 CC F3 3B CE 01   CF CB C8 CC F3 3B CE 01 | .....;.......;..
      0000002470  | 06 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002480  | 00 00 00 00 00 01 00 00   00 00 00 00 00 00 00 00 | ................
      0000002490  | 00 00 00 00 00 00 00 00   30 00 00 00 70 00 00 00 | ........0...p...
      00000024A0  | 00 00 18 00 00 00 02 00   52 00 00 00 18 00 01 00 | ........R.......
      00000024B0  | 05 00 00 00 00 00 05 00   CF CB C8 CC F3 3B CE 01 | .............;..
      00000024C0  | CF CB C8 CC F3 3B CE 01   CF CB C8 CC F3 3B CE 01 | .....;.......;..
      00000024D0  | CF CB C8 CC F3 3B CE 01   00 10 00 00 00 00 00 00 | .....;..........
      00000024E0  | 00 10 00 00 00 00 00 00   06 00 00 00 00 00 00 00 | ................
      00000024F0  | 08 03 24 00 4D 00 46 00   54 00 4D 00 69 00 72 00 | ..$.M.F.T.M.i.r.
      0000002500  | 72 00 00 00 00 00 00 00   80 00 00 00 48 00 00 00 | r...........H...
      0000002510  | 01 00 40 00 00 00 01 00   00 00 00 00 00 00 00 00 | ..@.............
      0000002520  | 00 00 00 00 00 00 00 00   40 00 00 00 00 00 00 00 | ........@.......
      0000002530  | 00 10 00 00 00 00 00 00   00 10 00 00 00 00 00 00 | ................
      0000002540  | 00 10 00 00 00 00 00 00   11 01 02 00 00 00 00 00 | ................
      0000002550  | FF FF FF FF 00 00 00 00   12 00 00 00 01 02 00 00 | ................
      0000002560  | 00 00 00 05 20 00 00 00   20 02 00 00 00 00 00 00 | .... ... .......
      0000002570  | 80 00 00 00 48 00 00 00   01 00 40 00 00 00 01 00 | ....H.....@.....
      0000002580  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002590  | 40 00 00 00 00 00 00 00   00 10 00 00 00 00 00 00 | @...............
      00000025A0  | 00 10 00 00 00 00 00 00   00 10 00 00 00 00 00 00 | ................
      00000025B0  | 11 01 02 00 00 00 00 00   FF FF FF FF 00 00 00 00 | ................
      00000025C0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      00000025D0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      00000025E0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      00000025F0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 04 00 | ................
      0000002600  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002610  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002620  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002630  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002640  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002650  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002660  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002670  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002680  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002690  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      00000026A0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      00000026B0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      00000026C0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      00000026D0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      00000026E0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      00000026F0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002700  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002710  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002720  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002730  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002740  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002750  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002760  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002770  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002780  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002790  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      00000027A0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      00000027B0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      00000027C0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      00000027D0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      00000027E0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      00000027F0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 04 00 | ................
      0000002800  | 46 49 4C 45 30 00 03 00   6C 23 00 02 00 00 00 00 | FILE0...l#......
      0000002810  | 02 00 01 00 38 00 01 00   58 01 00 00 00 04 00 00 | ....8...X.......
      0000002820  | 00 00 00 00 00 00 00 00   04 00 00 00 02 00 00 00 | ................
      0000002830  | 04 00 00 00 00 00 00 00   10 00 00 00 60 00 00 00 | ............`...
      0000002840  | 00 00 18 00 00 00 00 00   48 00 00 00 18 00 00 00 | ........H.......
      0000002850  | CF CB C8 CC F3 3B CE 01   CF CB C8 CC F3 3B CE 01 | .....;.......;..
      0000002860  | CF CB C8 CC F3 3B CE 01   CF CB C8 CC F3 3B CE 01 | .....;.......;..
      0000002870  | 06 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002880  | 00 00 00 00 00 01 00 00   00 00 00 00 00 00 00 00 | ................
      0000002890  | 00 00 00 00 00 00 00 00   30 00 00 00 70 00 00 00 | ........0...p...
      00000028A0  | 00 00 18 00 00 00 02 00   52 00 00 00 18 00 01 00 | ........R.......
      00000028B0  | 05 00 00 00 00 00 05 00   CF CB C8 CC F3 3B CE 01 | .............;..
      00000028C0  | CF CB C8 CC F3 3B CE 01   CF CB C8 CC F3 3B CE 01 | .....;.......;..
      00000028D0  | CF CB C8 CC F3 3B CE 01   00 00 00 04 00 00 00 00 | .....;..........
      00000028E0  | 00 00 00 04 00 00 00 00   06 00 00 00 00 00 00 00 | ................
      00000028F0  | 08 03 24 00 4C 00 6F 00   67 00 46 00 69 00 6C 00 | ..$.L.o.g.F.i.l.
      0000002900  | 65 00 00 00 00 00 00 00   80 00 00 00 48 00 00 00 | e...........H...
      0000002910  | 01 00 40 00 00 00 01 00   00 00 00 00 00 00 00 00 | ..@.............
      0000002920  | FF 3F 00 00 00 00 00 00   40 00 00 00 00 00 00 00 | .?......@.......
      0000002930  | 00 00 00 04 00 00 00 00   00 00 00 04 00 00 00 00 | ................
      0000002940  | 00 00 00 04 00 00 00 00   32 00 40 6F 71 0B 00 00 | ........2.@oq...
      0000002950  | FF FF FF FF 00 00 00 00   12 00 00 00 01 02 00 00 | ................
      0000002960  | 00 00 00 05 20 00 00 00   20 02 00 00 00 00 00 00 | .... ... .......
      0000002970  | 80 00 00 00 48 00 00 00   01 00 40 00 00 00 01 00 | ....H.....@.....
      0000002980  | 00 00 00 00 00 00 00 00   FF 3F 00 00 00 00 00 00 | .........?......
      0000002990  | 40 00 00 00 00 00 00 00   00 00 00 04 00 00 00 00 | @...............
      00000029A0  | 00 00 00 04 00 00 00 00   00 00 00 04 00 00 00 00 | ................
      00000029B0  | 32 00 40 6F 71 0B 00 00   FF FF FF FF 00 00 00 00 | 2.@oq...........
      00000029C0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      00000029D0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      00000029E0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      00000029F0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 04 00 | ................
      0000002A00  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002A10  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002A20  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002A30  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002A40  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002A50  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002A60  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002A70  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002A80  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002A90  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002AA0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002AB0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002AC0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002AD0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002AE0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002AF0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002B00  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002B10  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002B20  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002B30  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002B40  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002B50  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002B60  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002B70  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002B80  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002B90  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002BA0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002BB0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002BC0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002BD0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002BE0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002BF0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 04 00 | ................
      0000002C00  | 46 49 4C 45 30 00 03 00   56 08 00 07 00 00 00 00 | FILE0...V.......
      0000002C10  | 03 00 01 00 38 00 01 00   00 02 00 00 00 04 00 00 | ....8...........
      0000002C20  | 00 00 00 00 00 00 00 00   07 00 00 00 03 00 00 00 | ................
      0000002C30  | 06 00 00 00 00 00 00 00   10 00 00 00 48 00 00 00 | ............H...
      0000002C40  | 00 00 18 00 00 00 00 00   30 00 00 00 18 00 00 00 | ........0.......
      0000002C50  | CF CB C8 CC F3 3B CE 01   CF CB C8 CC F3 3B CE 01 | .....;.......;..
      0000002C60  | CF CB C8 CC F3 3B CE 01   CF CB C8 CC F3 3B CE 01 | .....;.......;..
      0000002C70  | 06 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002C80  | 30 00 00 00 68 00 00 00   00 00 18 00 00 00 01 00 | 0...h...........
      0000002C90  | 50 00 00 00 18 00 01 00   05 00 00 00 00 00 05 00 | P...............
      0000002CA0  | CF CB C8 CC F3 3B CE 01   CF CB C8 CC F3 3B CE 01 | .....;.......;..
      0000002CB0  | CF CB C8 CC F3 3B CE 01   CF CB C8 CC F3 3B CE 01 | .....;.......;..
      0000002CC0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002CD0  | 06 00 00 00 00 00 00 00   07 03 24 00 56 00 6F 00 | ..........$.V.o.
      0000002CE0  | 6C 00 75 00 6D 00 65 00   40 00 00 00 28 00 00 00 | l.u.m.e.@...(...
      0000002CF0  | 00 00 00 00 00 00 06 00   10 00 00 00 18 00 00 00 | ................
      0000002D00  | 9E 79 2D AB 22 22 5E 44   BF 60 42 68 B7 C6 68 A2 | .y-.""^D.`Bh..h.
      0000002D10  | 50 00 00 00 80 00 00 00   00 00 18 00 00 00 02 00 | P...............
      0000002D20  | 64 00 00 00 18 00 00 00   01 00 04 80 48 00 00 00 | d...........H...
      0000002D30  | 54 00 00 00 00 00 00 00   14 00 00 00 02 00 34 00 | T.............4.
      0000002D40  | 02 00 00 00 00 00 14 00   9F 01 12 00 01 01 00 00 | ................
      0000002D50  | 00 00 00 05 12 00 00 00   00 00 18 00 9F 01 12 00 | ................
      0000002D60  | 01 02 00 00 00 00 00 05   20 00 00 00 20 02 00 00 | ........ ... ...
      0000002D70  | 01 01 00 00 00 00 00 05   12 00 00 00 01 02 00 00 | ................
      0000002D80  | 00 00 00 05 20 00 00 00   20 02 00 00 00 00 00 00 | .... ... .......
      0000002D90  | 60 00 00 00 28 00 00 00   00 00 18 00 00 00 04 00 | `...(...........
      0000002DA0  | 0C 00 00 00 18 00 00 00   4A 00 75 00 6E 00 69 00 | ........J.u.n.i.
      0000002DB0  | 6F 00 72 00 00 00 00 00   70 00 00 00 28 00 00 00 | o.r.....p...(...
      0000002DC0  | 00 00 18 00 00 00 05 00   0C 00 00 00 18 00 00 00 | ................
      0000002DD0  | 00 00 00 00 00 00 00 00   03 01 00 00 00 00 00 00 | ................
      0000002DE0  | 80 00 00 00 18 00 00 00   00 00 18 00 00 00 03 00 | ................
      0000002DF0  | 00 00 00 00 18 00 00 00   FF FF FF FF 00 00 06 00 | ................
      0000002E00  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002E10  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002E20  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002E30  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002E40  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002E50  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002E60  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002E70  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002E80  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002E90  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002EA0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002EB0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002EC0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002ED0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002EE0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002EF0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002F00  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002F10  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002F20  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002F30  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002F40  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002F50  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002F60  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002F70  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002F80  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002F90  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002FA0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002FB0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002FC0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002FD0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002FE0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 | ................
      0000002FF0  | 00 00 00 00 00 00 00 00   00 00 00 00 00 00 06 00 | ................

  6. #21
    Quote Originally Posted by WaxfordSqueers View Post
    The question is which app to use.
    Still talking to myself....

    Made some headway. The free app I suggested earlier, Active@ Disk Editor, has a feature where it uses templates to reveal the structure of the $MFT file. When a template is selected, you have to move it to the pertinent code, then it highlights data that aligns with its template. When the alignment is correct, it gives really in-depth information about the MFT file structure.

    You can move it over the first sector of an NTFS (or FAT, or Linux) partition and it reveals in-depth info about the boot partition, which also points to the $MFT file and its mirror on NTFS systems. Another template can be pointed to the $MFT file once it is found. Within the MFT, records have a signature called 'FILE', that marks various metafiles. When the template is over any record marked 'FILE', it reveals detailed info about that record.

    Came across another free site called sleuthkit ( http://www.sleuthkit.org/ ) and they seem to have interesting tools for examining disk data.

    There are apparently two files in the MFT, $UsnJrnl and $LogFile that can be used in conjunction with $MFT to help reconstruct a disk structure damaged by a power fail or malware. It has yet to be seen whether a recovery from stupidity can be pulled off, when a bleary-eyed surveyor uses a clone, thinking it's an image creation.

  7. #22
    Quote Originally Posted by WaxfordSqueers View Post
    Here is the $MftMirr file which is a duplicate of the first 4 metafiles in an MFT file.
    I posted the data (in a code window) a couple of posts back for a $MftMirr file. At offset 2050 and at 20B8, there are 4 quadwords. Those are the times and dates at which the records were written and modified. In between there are attributes that tell you more about the records. It's a bit hairy but it's nice to finally make some sense of it.

Similar Threads

  1. NTFS MFT Internals
    By WaxfordSqueers in forum Advanced Reversing and Programming
    Replies: 153
    Last Post: March 26th, 2014, 15:03
  2. problem with NTFS file encryption
    By Hero in forum The Newbie Forum
    Replies: 10
    Last Post: October 22nd, 2004, 03:49
  3. xxx.reversing.net?
    By gadget in forum Off Topic
    Replies: 1
    Last Post: May 7th, 2003, 00:05
  4. New project: RSA-65 analysis on GetDataBack for NTFS
    By Lbolt99 in forum RCE Cryptographics
    Replies: 6
    Last Post: August 1st, 2002, 14:48
  5. Write to NTFS
    By tentakkel in forum Malware Analysis and Unpacking Forum
    Replies: 7
    Last Post: October 8th, 2001, 17:18

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •