thewhiteninja / ntfstool Goto Github PK
View Code? Open in Web Editor NEWForensics tool for NTFS (parser, mft, bitlocker, deleted files)
License: MIT License
Forensics tool for NTFS (parser, mft, bitlocker, deleted files)
License: MIT License
Help
ntfstool.x64.exe help extract
extract command
---------------
ntfstool.x64.exe extract [disk id] [volume id] [from] [output]
- Extract a file specified by a path in from to output
Extract a file:
> ntfstool.x64.exe extract disk=0 volume=1 from="c:\windows\notepad.exe" output = "d:\notepad.exe"
Extract SAM hive:
> ntfstool.x64.exe extract disk=0 volume=1 --sam output = "d:\sam"
Extract SYSTEM file:
> ntfstool.x64.exe extract disk=0 volume=1 --system output = "d:\system"
Log:
ntfstool.x64.exe extract disk=2 volume=2 from="P:\$MFT" output = "A:\tmp\P_MFT"
[!] Invalid option: =
[!] Invalid option: A:\tmp\P_MFT
Windows 10 introduces Windows Overlay Filtering compression for NTFS.
And there even Windows 10 "Compact Edition", where that compression is turned on by default.
To check it just run in windows 10/11:
compact.exe /c /exe:lzx c:\windows\splwow64.exe
ntfstool extract disk=1 volume=2 from="c:\windows\splwow64.exe:WofCompressedData" output="c:\splwow64.exe,compact"
Note sparse/reparse flags are set, new ADS $DATA:WofCompressedData, $REPARSE_POINT with Type "Windows Overlay" IO_REPARSE_TAG_WOF .
MFT (inode:396322) from \\.\PhysicalDrive1 > Volume:2
-----------------------------------------------------
Signature : FILE
Update Offset : 48
Update Number : 3
$LogFile LSN : 285433403226
Sequence Number : 1
Hardlink Count : 2
Attribute Offset : 56
Flags : In_use
Real Size : 936
Allocated Size : 1024
Base File Record : 0000000000000000h
Next Attribute ID : 14
MFT Record Index : 396322
Update Seq Number : 8
Update Seq Array : 00000000
Attributes:
-----------
+------------------------------------------------------------------------------------------------------+
| Id | Type | Non-resident | Length | Overview |
+------------------------------------------------------------------------------------------------------+
| 1 | $STANDARD_INFORMATION | False | 72 | File Created Time : 2020-09-02 12:49:59 |
| | | | | Last File Write Time : 2022-02-12 02:14:21 |
| | | | | FileRecord Changed Time : 2022-02-12 02:14:21 |
| | | | | Last Access Time : 2022-02-12 02:14:21 |
| | | | | Permissions : |
| | | | | read_only : 0 |
| | | | | hidden : 0 |
| | | | | system : 0 |
| | | | | device : 0 |
| | | | | normal : 0 |
| | | | | temporary : 0 |
| | | | | sparse : 1 |
| | | | | reparse_point : 1 |
| | | | | compressed : 0 |
| | | | | offline : 0 |
| | | | | not_indexed : 0 |
| | | | | encrypted : 0 |
| | | | | Max Number of Versions : 0 |
| | | | | Version Number : 0 |
+------------------------------------------------------------------------------------------------------+
| 2 | $FILE_NAME | False | 90 | Parent Dir Record Index : 396463 |
| | | | | Parent Dir Sequence Num : 1 |
| | | | | File Created Time : 2020-09-02 12:49:59 |
| | | | | Last File Write Time : 2020-09-02 12:49:59 |
| | | | | FileRecord Changed Time : 2020-09-02 12:49:59 |
| | | | | Last Access Time : 2020-09-02 12:49:59 |
| | | | | Allocated Size : 167936 |
| | | | | Real Size : 165376 |
| | | | | ------ |
| | | | | NameType : DOS & WIN32 |
| | | | | Name : splwow64.exe |
+------------------------------------------------------------------------------------------------------+
| 3 | $FILE_NAME | False | 90 | Parent Dir Record Index : 493 |
| | | | | Parent Dir Sequence Num : 1 |
| | | | | File Created Time : 2020-09-02 12:49:59 |
| | | | | Last File Write Time : 2020-09-02 17:31:19 |
| | | | | FileRecord Changed Time : 2020-09-02 12:49:59 |
| | | | | Last Access Time : 2020-09-02 12:49:59 |
| | | | | Allocated Size : 167936 |
| | | | | Real Size : 165376 |
| | | | | ------ |
| | | | | NameType : POSIX |
| | | | | Name : splwow64.exe |
+------------------------------------------------------------------------------------------------------+
| 4 | $DATA | True | 165376 | Data Size : 165376 (161.50 KiBs) |
| | | | | Flags : |
| | | | | Sparse |
| | | | | Dataruns : |
| | | | | Length: 00000030 Offset: 00000000 (S) |
| | | | | Size on disk : 0 (0.00 byte) |
+------------------------------------------------------------------------------------------------------+
| 5 | $DATA | True | 88570 | Name : WofCompressedData |
| | | | | Data Size : 88570 (86.49 KiBs) |
| | | | | Dataruns : |
| | | | | Length: 00000016 Offset: 031e33bc |
| | | | | Size on disk : 90112 (88.00 KiBs) |
+------------------------------------------------------------------------------------------------------+
| 6 | $REPARSE_POINT | False | 24 | Type : Windows Overlay |
| | | | | Unsupported reparse point type |
+------------------------------------------------------------------------------------------------------+
| 7 | $EA_INFORMATION | False | 8 | NYI attribute type |
+------------------------------------------------------------------------------------------------------+
| 8 | $EA | False | 92 | NYI attribute type |
+------------------------------------------------------------------------------------------------------+
| 9 | $LOGGED_UTILITY_STREAM | False | 8 | Binary data |
+------------------------------------------------------------------------------------------------------+
| 10 | $LOGGED_UTILITY_STREAM | False | 56 | Binary data |
+------------------------------------------------------------------------------------------------------+
There is XPRESS4K/XPRES8K/XPRESS16K/LZX compression algo. And also this tag should support for WIM files (reparse point can reference to WIM archive) - but I have no proof for it.
https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/compact-os?view=windows-11
RtlDecompressBufferEx have support for COMPRESSION_FORMAT_XPRESS_HUFF - for WIM-LZX decompressor can be found on github...
Log:
ntfstool.x64.exe mft.record disk=2 volume=2
[!] Missing inode option. Unable to find file record.
Help:
ntfstool.x64.exe help mft
mft.record command
------------------
ntfstool.x64.exe mft.record [disk id] [volume id] (inode/from)
- Display MFT file record information and detailed attributes for selected disk, volume and inode/path
Display MFT file record for disk 0, volume 2:
> ntfstool.x64.exe mft.record disk=0 volume=2
Display MFT file record for disk 0, volume 2 and inode 5:
> ntfstool.x64.exe mft.record disk=0 volume=2 inode=5
Display MFT File record for disk 0, volume 2 and file "c:\file.bin":
> ntfstool.x64.exe mft.record disk=0 volume=2 from="c:\file.bin"
I got the following error while trying to build the tool (Debug mode, x64):
'std::shared_ptr<Buffer<PEFS_FEK>> decrypt_fek(RSA *,std::shared_ptr<Buffer>)': cannot convert argument 1 from 'const rsa_st *' to 'RSA *'
from ntfstool\Sources\Commands\command_efs.decrypt.cpp, line 172.
Environment: Windows 10, Visual Studio 2022 Community.
楼主,你好。这款软件不是给mac用的么,但是看到发布中是x64,x86的exe格式,mac版的dmg未找到呢
Hello !
The USN extraction doesn't work for me, i use the command "usn disk=1 volume=0 output=usn.dat" :
USN Journals from \.\PhysicalDrive0 > Volume:2
[+] Opening XX XXX
[+] Finding $Extend$UsnJrnl record
[+] Found in file record : 94136
[+] Data stream $J size : 3.66 GiBs (sparse)
[+] Reading $J
[+] Processing data: 7412 MB(s)
[!] Sorry, the application has crashed!
I've got this error :
Unhandled exception at 0x00007FFEBF1DDF47 (ntdll.dll) in ntfstool.x64.exe: 0xC00000FD: Stack overflow (parameters: 0x0000000000000001, 0x000000EE0EC03FD8).
Exception thrown at 0x00007FFEBF1DDF47 (ntdll.dll) in ntfstool.x64.exe: 0xC00000FD: Stack overflow (parameters: 0x0000000000000001, 0x000000EE0EC03FD8).
Unhandled exception at 0x00007FFEBF1DDF47 (ntdll.dll) in ntfstool.x64.exe: 0xC00000FD: Stack overflow (parameters: 0x0000000000000001, 0x000000EE0EC03FD8).
error is in the ntfs_mft_record.ccp file, line 25 :
MFTRecord::MFTRecord(PMFT_RECORD_HEADER pRecordHeader, MFT* mft, std::shared_ptr<NTFSReader> reader)
{
_reader = reader;
_mft = mft;
if (pRecordHeader != NULL)
{
_record = std::make_shared<Buffer<PMFT_RECORD_HEADER>>(_reader->sizes.record_size); XXX
memcpy(_record->data(), pRecordHeader, _reader->sizes.record_size);
apply_fixups(_record->data(), _record->size(), _record->data()->updateOffset, _record->data()->updateNumber);
}
}
In line 85 of command_bitdecrypt.cpp, you call EVP_CIPHER_CTX_new to initialize, but you call EVP_CIPHER_CTX_free to release when the decryption is complete. This will cause the decrypt_sector_fn that is continuously called during decryption to cause memory leaks
Hello!
I'm running into a weird problem with this tool. I'm not sure if it's because of the tool or because of how I've tried [re]formatting my disks, but I wanted to make a report here and see if something was up, or if I just really broke my filesystems (or my disks...)
I am leaning toward the idea that my disks may be borked, but I'm stumped as to why all my testing and reports are so inconsistent.
Anyway -
I have a decent number of disks on my local machine, just added three new ones, all formatted as GPT and using NTFS, two of the disks are 18T raw, the third is 20T raw. I seem to only be having this issue with the 18T disks (Model ST18000NM003J-2TV102)
I've tried formatting the disks multiple ways.
pv < /dev/zero > /dev/sdb
for about 64GiB, used fdisk to create a new GPT partitioning scheme, used mkfs.ntfs
will a full zero format to create a new NTFS partitionpv
to zero the first few tens of GB of the disk, used Windows to reinitialize the disk and perform a quick formatBetween each format or wipe & recreation, I ran through a series of tests, trying to view the MFT, volume info, partition info, defragging, and a few other "misc" non-scientific tests to validate the new partition was functional - and throughout those "tests" is where I found the inconsistencies with ntfstool.
My findings:
40
, "Clusters per MFT record" - with a hex value of F6
- it suggests it should be F4
- cross checking some of my other disks (20T and a few SSDs and some 8T HDDs) - they all have F4
for that key.ntfstool gpt
, but things appear to be "weird" when running it with the info
param. Other commands like mft.*, reparse, shell, shadow - also do not work on the 18T disksI've created a gist where I've dumped a bunch of output from ntfsinfo.
Output of ntfstool info
: https://gist.github.com/jwshields/403d5b01e430108bd289bf8947325c89#file-ntfstool-info
Output of ntfstool gpt
: https://gist.github.com/jwshields/403d5b01e430108bd289bf8947325c89#file-ntfstool-gpt
I've also created a screenshot of the disk management menu in windows, showing most of my disks; I've highlighted the three I'm focusing though.
Plainly, I just don't understand.
Is this a bug in ntfstool, somehow? or is there a problem with my disks?
Above, I listed a bunch of ways I attempted to format the disks, each iteration seemed to give me the same results (ie, "Invalid or non-GPT partition table" - as well as Distrix UD failures when attempting to defrag), no matter how I wiped nor created the partions.
Willing to provide any further information if needed, I'm also not attempting to look for spoonfeeding help here. If this is some weird bug, I'm more than happy to help out and give info, but if this is because my disks are bad, or my own stupidity, I'll concede without issue.
Thank you in advance, and thanks for such an awesome tool!
I'm studying the rootkit, which uses NTFS to hide files to make itself persistent, and I'm looking for a way to clear it
Now, for some reason, I have this (totally normally working) partition which mft.record
complains has no file record.
Trying to run ls
from shell or logfile.dump
results in a crash.
LogFile from \\.\PhysicalDrive0 > Volume:2
------------------------------------------
[+] Opening \\?\Volume{cb55d575-0000-0000-0000-300300000000}\
[+] Reading $LogFile record
[!] Sorry, the application has crashed!
In WinDbg:
(4d78.2a30): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
[0x0] ntfstool_x64!std::_Ptr_base<Buffer<MFT_RECORD_HEADER *> >::get + 0x1b
[0x1] ntfstool_x64!std::shared_ptr<Buffer<MFT_RECORD_HEADER *> >::operator-><Buffer<MFT_RECORD_HEADER *>,0> + 0x20
[0x2] ntfstool_x64!MFTRecord::datasize + 0x6d
[0x3] ntfstool_x64!print_logfile_records + 0x47c
[0x4] ntfstool_x64!commands::logfile::dispatch + 0x282
00007ff7`ec0a782b 488b00 mov rax,qword ptr [rax] ds:00000000`00000010=????????????????
EDIT: maybe?
FVE Version : 2
State : ENCRYPTED
Size : 10485760000 (9.77 GiBs)
Encrypted Size : 10485759488 (9.77 GiBs)
Algorithm : AES-CBC-128-DIFFUSER
Decrypted img file data error ,Hexadecimal img file,header not is EB 52 90 4E 54 46 53 20
Hi,
Great tool :) Can you please modify volume selection process to allow user to select volumes created by VeraCrypt for example? VeraCrypt uses on the fly encryption so recovery process should work as on physical drive, right ? We just need a way to select them.
Thanks and have a nice day.
Dear author,
NTFS employs MFT records and index records to organize directories. Ntfstool can extract single given file from a volume, demonstrating that it fully supports interpreting index records (in an implicit way). However, when it comes to the situation of fixing a corrupted file system (where we need to check whether all the index entries are valid), it is necessary to produce more explicit results than present, to help check the index chains (especially for the layman only knowing some basic concept about NFTS such as me). In other words, what I am looking forward to is actually to find out where the B+ tree breaks step-by-step.
For example, via the option mft disk=x volume=y inode=5, I can get the understandable information of the MFT file record related to the root directory as below. However, I cannot track its sub files and subdirectories further according to this result directly because I don't know how to use the obtained 'First Entry Offset' (which is 16) to check further, and don’t know the detailed information of index nodes, whose length is 152.
| 4 | $INDEX_ROOT | False | 168 | Attribute Type : Filename |
| | | | | Collation Rule : 1 |
| | | | | Index Alloc Entry Size : 4096 |
| | | | | Cluster/Index Record : 1 |
| | | | | ----- |
| | | | | First Entry Offset : 16 |
| | | | | Index Entries Size : 152 |
| | | | | Index Entries Allocated : 152 |
| | | | | Flags : Large Index |
+------------------------------------------------------------------------------------------------------------------+
Hence, maybe a low-level but more explicit way for interpreting index records is needed. For example, an additional option for a given index buffer can be introduced as below:
ntfstool index_buffer disk=x volume=y cluster=z
where z is the starting cluster of the non-resident index record (maybe the file size is also needed), should be pointed out by a specific previous-step instruction. What’s more, as mentioned above, I want ntfstool explicitly show the detailed information of the resident index nodes when interpreting the attribute of $INDEX_ROOT and explicitly show the starting address list for all the non-resident index buffers when interpreting the attribute of $INDEX_ALLOCATION (I am not sure this statement is correct, but you, a smart man, can catch it ^_^).
As I am totally a layman, there must be some erroneous and ambiguous statement in this enhancement request. To make my request clearer, my story is that I have been working on an external 4T hard disk which had suddenly became corrupted as RAW format. Ntfstool is the most powerful tool I have found to print formatted information of various complicated NTFS binary data. With the understandable formatted text, I can focus on figuring out what happened on the hard disk whose file system is corrupted, only being required to know some basic concept about NTFS. It helps me get rid of repeatedly understand binary data and allow comparing the obtained formatted information of specific data to those of a healthy one. So far I have managed to the problem that some MFT records are dis-ordered (This problem is found with the help of ntfstool). However, the root directory is corrupted as well, and I am confused when verify the index chains. That's why I submit this enhancement request. The file record for the corrupted root directory is shown below:
MFT (inode:5) from \\.\PhysicalDrive5 > Volume:1
------------------------------------------------
Signature : FILE
Update Offset : 48
Update Number : 3
$LogFile LSN : 2099480808
Sequence Number : 5
Hardlink Count : 1
Attribute Offset : 56
Flags : In_use | Directory
Real Size : 784
Allocated Size : 1024
Base File Record : 0000000000000000h
Next Attribute ID : 16
MFT Record Index : 5
Update Seq Number : 361
Update Seq Array : 01d50000
Attribute $INDEX_ALLOCATION not foundAttributes:
-----------
+------------------------------------------------------------------------------------------------------------------+
| Id | Type | Non-resident | Length | Overview |
+------------------------------------------------------------------------------------------------------------------+
| 1 | $STANDARD_INFORMATION | False | 48 | File Created Time : 2019-06-12 22:14:38 |
| | | | | Last File Write Time : 2021-06-19 09:48:03 |
| | | | | FileRecord Changed Time : 2021-06-19 09:48:03 |
| | | | | Last Access Time : 2021-06-19 23:50:07 |
| | | | | Permissions : |
| | | | | read_only : 0 |
| | | | | hidden : 1 |
| | | | | system : 1 |
| | | | | device : 0 |
| | | | | normal : 0 |
| | | | | temporary : 0 |
| | | | | sparse : 0 |
| | | | | reparse_point : 0 |
| | | | | compressed : 0 |
| | | | | offline : 0 |
| | | | | not_indexed : 0 |
| | | | | encrypted : 0 |
| | | | | Max Number of Versions : 0 |
| | | | | Version Number : 0 |
+------------------------------------------------------------------------------------------------------------------+
| 2 | $ATTRIBUTE_LIST | False | 296 | $STANDARD_INFORMATION |
| | | | | Record Num: 0005000000000005 |
| | | | | ------ |
| | | | | $FILE_NAME |
| | | | | Record Num: 0005000000000005 |
| | | | | ------ |
| | | | | $OBJECT_ID |
| | | | | Record Num: 0005000000000005 |
| | | | | ------ |
| | | | | $SECURITY_DESCRIPTOR |
| | | | | Record Num: 000400000000cac9 |
| | | | | ------ |
| | | | | $INDEX_ROOT |
| | | | | Name : $I30 |
| | | | | Record Num: 0005000000000005 |
| | | | | ------ |
| | | | | $INDEX_ALLOCATION |
| | | | | Name : $I30 |
| | | | | Record Num: 000400000000cac9 |
| | | | | ------ |
| | | | | $BITMAP |
| | | | | Name : $I30 |
| | | | | Record Num: 000400000000cac9 |
| | | | | ------ |
| | | | | $LOGGED_UTILITY_STREAM |
| | | | | Name : $TXF_DATA |
| | | | | Record Num: 0005000000000005 |
+------------------------------------------------------------------------------------------------------------------+
| 3 | $FILE_NAME | False | 68 | Parent Dir Record Index : 5 |
| | | | | Parent Dir Sequence Num : 5 |
| | | | | File Created Time : 2019-06-12 22:14:38 |
| | | | | Last File Write Time : 2019-06-12 22:14:38 |
| | | | | FileRecord Changed Time : 2019-06-12 22:14:38 |
| | | | | Last Access Time : 2019-06-12 22:14:38 |
| | | | | Allocated Size : 0 |
| | | | | Real Size : 0 |
| | | | | ------ |
| | | | | NameType : DOS & WIN32 |
| | | | | Name : . |
+------------------------------------------------------------------------------------------------------------------+
| 4 | $OBJECT_ID | False | 16 | Object Unique ID : {663f6f9a-a036-11e9-a414-28b2bdd |
| | | | | e2834} |
+------------------------------------------------------------------------------------------------------------------+
| 5 | $INDEX_ROOT | False | 56 | Attribute Type : Filename |
| | | | | Collation Rule : 1 |
| | | | | Index Alloc Entry Size : 4096 |
| | | | | Cluster/Index Record : 1 |
| | | | | ----- |
| | | | | First Entry Offset : 16 |
| | | | | Index Entries Size : 40 |
| | | | | Index Entries Allocated : 40 |
| | | | | Flags : Large Index |
+------------------------------------------------------------------------------------------------------------------+
commit: af24822
OS:Version Microsoft Windows 10 LTSC : 10.0.17763
[+] Opening \?\Volume{XXXXXXX-XXXX-XXXX}
[+] Finding $Extend$UsnJrnl record
[+] Found in file record : 69279
[+] Data stream $J size : 11.16 GiBs
[+] Reading $J
[!] Invalid read file size
[+] Closing volume
Debug:
in thewhiteninja_ntfstool\Sources\NTFS\ntfs_mft_record.cpp
line: 578
std::shared_ptr extRecordHeader = _mft->record_from_number(pAttrListI->recordNumber & 0xffffffffffff);
if (is_first_data)
{
filesize_left = extRecordHeader->datasize();
is_first_data = false;
}
...
extRecordHeader->datasize(); return 0
Hi, I didnt find anywhere but I would like to dump the information and use the other functions in a $MFT file exported from a forensic image (E01).
Is there anyway to do that? IS that a feature?
Hello !
Sorry, I don't know if it is the right place for this.
I'v got a 3 Gib $J to extract but the last release version seems to be outdated (I'm talking about this : https://github.com/thewhiteninja/ntfstool/releases, oct for the last release) so impossible to extract since the issue for big f$UsnJrnl have just recently been solved.
So i try to build the project but when I try to run the project on VS 2017, I've got a lot of errors messages.
Including this one I don't manage to solve :
utils.obj : error LNK2001: unresolved external symbol " "public: static class std::locale::id std::codecvt<char16_t,char,struct _Mbstatet>::id" (?id@?$codecvt@_SDU_Mbstatet@@@std@@2V0locale@2@A)
How is it possible to fix this ?
Thank you !
Firstly, great tool, really excellent, thank you!
This relates to the mft.dump function.
I've found (in some instances) that the process seems to hang, i.e. never completes. I'm not completely sure of the cause, but did note that when I specified a long filename as the output file, the hang occurred. I'm not completely set on this being the cause, as with other testing, I've been able to specify long output filenames with no issue. Please see screenshot below for an example:
hello i'm trying to use this as a library for some stuff i need however i keep noticing (maybe a race condition) a crash on record_from_number, since sometimes it happens and sometimes it doesn't but maybe i'm just doing something wrong and if so maybe you could tell me? all you have to do is run this code in a loop and after a while it will end up crashing in record_from_number
this code worked for 2 iterations then crashed, sometimes it instantly crashes sometimes after a while it's really random
while ( true ) {
for ( const auto& disk : core::win::disks::list( ) ) {
if ( !disk )
continue;
for ( const auto& volume : disk->volumes( ) ) {
if ( !volume )
continue;
const auto explorer = std::make_shared<NTFSExplorer>( volume );
if ( !explorer || !explorer->mft( ) )
continue;
const std::shared_ptr<MFTRecord> entry_rec = explorer->mft( )->record_from_path( ( R"(\$Extend\$ObjId)" ) );
if ( !entry_rec )
continue;
PMFT_RECORD_ATTRIBUTE_HEADER stdinfo_att = entry_rec->attribute_header( $STANDARD_INFORMATION );
if ( !stdinfo_att )
continue;
const auto stdinfo = POINTER_ADD( PMFT_RECORD_ATTRIBUTE_STANDARD_INFORMATION, stdinfo_att, stdinfo_att->Form.Resident.ValueOffset );
if ( !stdinfo )
continue;
printf( "%s | %p \n", volume->name( ).c_str( ), stdinfo );
}
}
}
Dear author,
I am newbie to C++ and know this is a question rather than a problem, but I really want to figure it out.
My plaform is on windows 10, and Visual Studio 2019 comunity is used.
What am I doing:
However, I get some errors, such as
Error LNK2001 unresolved external symbol distorm_decode64 ntfstool E:\Code\cpp\ntfstool-master\utils.obj 1
Error LNK2019 unresolved external symbol distorm_decode64 referenced in function "void __cdecl print_jump(unsigned char * const)" (?print_jump@@YAXQEAE@Z) ntfstool E:\Code\cpp\ntfstool-master\command_vbr.obj 1
Error LNK2001 unresolved external symbol __imp_feof ntfstool E:\Code\cpp\ntfstool-master\libcrypto_static.lib(ui_openssl.obj) 1
Error LNK2019 unresolved external symbol __imp_feof referenced in function file_ctrl ntfstool E:\Code\cpp\ntfstool-master\libcrypto_static.lib(bss_file.obj) 1
Error LNK2001 unresolved external symbol __imp_ferror ntfstool E:\Code\cpp\ntfstool-master\libcrypto_static.lib(ui_openssl.obj) 1
Error LNK2019 unresolved external symbol __imp_ferror referenced in function file_read ntfstool E:\Code\cpp\ntfstool-master\libcrypto_static.lib(bss_file.obj) 1
Error LNK2001 unresolved external symbol __imp_fgets ntfstool E:\Code\cpp\ntfstool-master\libcrypto_static.lib(ui_openssl.obj) 1
Error LNK2019 unresolved external symbol __imp_fgets referenced in function file_gets ntfstool E:\Code\cpp\ntfstool-master\libcrypto_static.lib(bss_file.obj) 1
Error LNK2019 unresolved external symbol __imp_strerror_s referenced in function openssl_strerror_r ntfstool E:\Code\cpp\ntfstool-master\libcrypto_static.lib(o_str.obj) 1
Error LNK2001 unresolved external symbol __imp_strncpy ntfstool E:\Code\cpp\ntfstool-master\libcrypto_static.lib(evp_key.obj) 1
Error LNK2001 unresolved external symbol __imp_strncpy ntfstool E:\Code\cpp\ntfstool-master\libcrypto_static.lib(x509_obj.obj) 1
Error LNK2019 unresolved external symbol __imp_strncpy referenced in function win32_joiner ntfstool E:\Code\cpp\ntfstool-master\libcrypto_static.lib(dso_win32.obj) 1
Error LNK2001 unresolved external symbol __imp_strspn ntfstool E:\Code\cpp\ntfstool-master\libcrypto_static.lib(v3_asid.obj) 1
Error LNK2001 unresolved external symbol __imp_strspn ntfstool E:\Code\cpp\ntfstool-master\libcrypto_static.lib(v3_addr.obj) 1
Error LNK2019 unresolved external symbol __imp_strspn referenced in function PEM_get_EVP_CIPHER_INFO ntfstool E:\Code\cpp\ntfstool-master\libcrypto_static.lib(pem_lib.obj) 1
Error LNK2019 unresolved external symbol __imp__gmtime64_s referenced in function OPENSSL_gmtime ntfstool E:\Code\cpp\ntfstool-master\libcrypto_static.lib(o_time.obj) 1
Error LNK2001 unresolved external symbol __imp__stat64i32 ntfstool E:\Code\cpp\ntfstool-master\libcrypto_static.lib(conf_def.obj) 1
Error LNK2019 unresolved external symbol __imp__stat64i32 referenced in function file_open ntfstool E:\Code\cpp\ntfstool-master\libcrypto_static.lib(loader_file.obj) 1
Error LNK2001 unresolved external symbol __imp__strdup ntfstool E:\Code\cpp\ntfstool-master\libcrypto_static.lib(conf_lib.obj) 1
Error LNK2019 unresolved external symbol __imp__strdup referenced in function OPENSSL_config ntfstool E:\Code\cpp\ntfstool-master\libcrypto_static.lib(conf_sap.obj) 1
Error LNK2001 unresolved external symbol __imp__time64 ntfstool E:\Code\cpp\ntfstool-master\libcrypto_static.lib(a_time.obj) 1
Error LNK2001 unresolved external symbol __imp__time64 ntfstool E:\Code\cpp\ntfstool-master\libcrypto_static.lib(x509_vfy.obj) 1
Error LNK2019 unresolved external symbol __imp__time64 referenced in function RAND_DRBG_bytes ntfstool E:\Code\cpp\ntfstool-master\libcrypto_static.lib(drbg_lib.obj) 1
How can I properly import the necessary third-party libraries to the project ntfstools?
shell disk=1 volume=3
disk1:volume3:> ls
Inode | Type | Name | Size | Creation Date | Attributes
---------------------------------------------------------------------------------------------
4 | | $AttrDef | 2560 | 2021-02-18 05:45:18 | Hi Sy
8 | | $BadClus | 0 | 2021-02-18 05:45:18 | Hi Sy
| ADS | $Bad | 510905020416 | |
6 | | $Bitmap | 15591584 | 2021-02-18 05:45:18 | Hi Sy
| ADS | $SRAT | 68 | |
7 | | $Boot | 8192 | 2021-02-18 05:45:18 | Hi Sy
11 | DIR | $Extend | | 2021-02-18 05:45:18 | Hi Sy
2 | | $LogFile | 67108864 | 2021-02-18 05:45:18 | Hi Sy
0 | | $MFT | 2073034752 | 2021-02-18 05:45:18 | Hi Sy
1 | | $MFTMirr | 4096 | 2021-02-18 05:45:18 | Hi Sy
4502 | DIR | $Recycle.Bin | | 2019-12-07 10:14:52 | Hi Sy
9 | | $Secure | 0 | 2021-02-18 05:45:18 | Hi Sy
10 | | $UpCase | 131072 | 2021-02-18 05:45:18 | Hi Sy
| ADS | $Info | 32 | |
3 | | $Volume | 0 | 2021-02-18 05:45:18 | Hi Sy
154204 | DIR | $WINDOWS.~BT | | 2021-11-02 22:52:59 |
50617 | DIR | $Windows.~WS | | 2022-02-06 19:18:00 | Hi Ni
156 | DIR | $WinREAgent | | 2023-01-10 22:38:03 | Hi
mft.record disk=1 volume=3
MFT (inode:0) for \\.\PhysicalDrive1 > Volume:3
-----------------------------------------------
Signature : FILE
Update Offset : 48
Update Number : 3
$LogFile LSN : 305819962804
Sequence Number : 1
Hardlink Count : 1
Attribute Offset : 56
Flags : In use
Real Size : 888
Allocated Size : 1024
Base File Record : 0000000000000000h
Next Attribute ID : 13
MFT Record Index : 0
Update Seq Number : 1714
Update Seq Array : 01150000
Attributes:
-----------
+-------------------------------------------------------------------------------------------------------------+
| Id | Type | Non-resident | Length | Overview |
+-------------------------------------------------------------------------------------------------------------+
| 1 | $STANDARD_INFORMATION | False | 72 | File Created Time : 2021-02-18 05:45:18 |
| | Raw address: 0000c0000050h | | | Last File Write Time : 2021-02-18 05:45:18 |
| | | | | FileRecord Changed Time : 2021-02-18 05:45:18 |
| | | | | Last Access Time : 2021-02-18 05:45:18 |
| | | | | Permissions : |
| | | | | read_only : 0 |
| | | | | hidden : 1 |
| | | | | system : 1 |
| | | | | device : 0 |
| | | | | normal : 0 |
| | | | | temporary : 0 |
| | | | | sparse : 0 |
| | | | | reparse_point : 0 |
| | | | | compressed : 0 |
| | | | | offline : 0 |
| | | | | not_indexed : 0 |
| | | | | encrypted : 0 |
| | | | | Max Number of Versions : 0 |
| | | | | Version Number : 0 |
+-------------------------------------------------------------------------------------------------------------+
| 2 | $FILE_NAME | False | 74 | Parent Dir Record Index : 5 |
| | Raw address: 0000c00000b0h | | | Parent Dir Sequence Num : 5 |
| | | | | File Created Time : 2021-02-18 05:45:18 |
| | | | | Last File Write Time : 2021-02-18 05:45:18 |
| | | | | FileRecord Changed Time : 2021-02-18 05:45:18 |
| | | | | Last Access Time : 2021-02-18 05:45:18 |
| | | | | Allocated Size : 1417412608 |
| | | | | Real Size : 1417412608 |
| | | | | ------ |
| | | | | NameType : DOS & WIN32 |
| | | | | Name : $MFT |
+-------------------------------------------------------------------------------------------------------------+
| 3 | $DATA | True | 2073034752 | Size: 2073034752 (1.93 GiB) |
| | Raw address: 0000c0000140h | | | Dataruns: |
| | | | | Length: 0000c820 Offset: 000c0000 |
| | | | | Length: 000053a3 Offset: 00adb375 |
| | | | | Length: 000035fe Offset: 0055d48a |
| | | | | Length: 0000323f Offset: 0103745c |
| | | | | Length: 0000c819 Offset: 01e90c48 |
| | | | | Length: 0000c819 Offset: 06379147 |
| | | | | Length: 000027ce Offset: 05391ba4 |
| | | | | Length: 0000a4d4 Offset: 07122acc |
| | | | | Length: 000063f4 Offset: 04255ee4 |
| | | | | Length: 00000a8e Offset: 06c65c0c |
| | | | | Length: 000001ad Offset: 051b2127 |
| | | | | Length: 0000cbf2 Offset: 07166c3c |
| | | | | Length: 00002d83 Offset: 05db27f9 |
| | | | | Length: 0000406d Offset: 073cd633 |
| | | | | Length: 00000e97 Offset: 041df470 |
| | | | | Length: 00000e89 Offset: 06f2dbb7 |
| | | | | Length: 00000de1 Offset: 03cc3927 |
| | | | | Length: 00000db5 Offset: 00466aaf |
| | | | | Length: 00000dab Offset: 041a0cd9 |
| | | | | Length: 00000f95 Offset: 07315b99 |
| | | | | Length: 00004aa8 Offset: 01250b40 |
| | | | | Length: 00000ab8 Offset: 0550d6b6 |
| | | | | Length: 00000595 Offset: 012cc194 |
| | | | | Length: 000004b4 Offset: 07209d68 |
| | | | | Length: 000004ad Offset: 02fa5c78 |
| | | | | Length: 00000490 Offset: 01c4dde0 |
| | | | | Length: 00001c84 Offset: 02dac5a1 |
| | | | | Length: 00001d1a Offset: 04d84ea5 |
| | | | | Length: 00001264 Offset: 051c21b8 |
| | | | | Length: 0000003d Offset: 016a5e21 |
| | | | | Length: 0000079c Offset: 016a2164 |
| | | | | Length: 00002468 Offset: 0561ec80 |
| | | | | Length: 0000376a Offset: 04e83dd8 |
| | | | | Length: 00002b63 Offset: 05f1e700 |
| | | | | Length: 0000279c Offset: 019bcf80 |
| | | | | Length: 0000279f Offset: 0477d34c |
| | | | | Length: 00002fa3 Offset: 0707668c |
| | | | | Length: 00001551 Offset: 00dcbde8 |
| | | | | |
| | | | | Virtual size: 0 (0.00 byte) |
| | | | | Real size : 2073034752 (1.93 GiB) |
+-------------------------------------------------------------------------------------------------------------+
| 4 | $BITMAP | True | 254944 | Index Node Used : 1752184 |
| | Raw address: 0000c0000290h | | | |
+-------------------------------------------------------------------------------------------------------------+
But last but not least
logfile.dump disk=1 volume=3 output=log.log format=raw
LogFile from \\.\PhysicalDrive1 > Volume:3
------------------------------------------
[+] Opening \\?\Volume{3de295f9-1d5e-4f1d-bbce-fb5e97329559}\
[+] Reading $LogFile record
[+] $LogFile size : 64.00 MiBs
[+] Creating log.log
[!] Unable to find corresponding $DATA attribute
[+] Processing data: 0.00 byte[+] Closing volume
[+] Closing volume
Here was the situation when I discovered this tool:
My HDD stopped being recognized by Windows (shown as Raw). But the problem seems to be very minor. All files are still there. The HDD tools can easily show them. I want to run chkdsk
to fix the filesystem, but there is a risk that it will mess up everything. I'm pretty sure it won't mess up the file contents. But it could mess up $MFT
. So, I wanted to back up the whole filesystem table ($MFT
and FILE
records). This way I could recover the table or the files (knowing their sectors). It would be also great to compare the table before and after the repair.
I've since fixed my problem, but just wanted to leave my use case here.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.