thewhiteninja / ntfstool Goto Github PK
View Code? Open in Web Editor NEWForensics tool for NTFS (parser, mft, bitlocker, deleted files)
License: MIT License
ntfstool's Introduction
ntfstool's People
Contributors
Stargazers
Watchers
Forkers
liuxingyuzm ta-b0 satanmp killvxk bbbking kmakinator crackercat fengjixuchui mirsys golan13 asdlei99 marcelroozekrans oxfemale muyen2 0x738a xiaolei20190417 oldyang1983 lonecrane lzq123218 fastrocket levisre 000000000000000000000000000000000000005 frogsinspace kact929 mlynchcogent jack51706 deka1918 zha0 codingman ahmedzi yougar0 vgimly highbor lee-sh827 ckwindowsproject jilvan1234 xiaoshzx tassfreehold titounkle c33dd jieyab89 tzf-omkey fliperworld cznice bypasscc kernullist 276585877 williamqf-ai dragonsblue digitalarche rudinyu qqq-tech powerpress taiji-xo tuannguyentpd sd24 luan-kim layerfsd patrick-usf xianzq888 mycopy jingshaq mitchcapper tomaszosypinski myntfs jonedilo reiterjr definiteiymaybe webstorage119 xgreat axax002 wangedward endrophyon ewin66 lrs121 jdmastermy mezstd anutrix darthdata410 thatadminguy blueveryday k1988 helioshub whindsaks f43r05 diggold joelvaneenwyk seagate-chris shitmls11 peter-zheng-spntfstool's Issues
`help extract` shows invalid command syntax
Help
ntfstool.x64.exe help extract
extract command
---------------
ntfstool.x64.exe extract [disk id] [volume id] [from] [output]
- Extract a file specified by a path in from to output
Extract a file:
> ntfstool.x64.exe extract disk=0 volume=1 from="c:\windows\notepad.exe" output = "d:\notepad.exe"
Extract SAM hive:
> ntfstool.x64.exe extract disk=0 volume=1 --sam output = "d:\sam"
Extract SYSTEM file:
> ntfstool.x64.exe extract disk=0 volume=1 --system output = "d:\system"
Log:
ntfstool.x64.exe extract disk=2 volume=2 from="P:\$MFT" output = "A:\tmp\P_MFT"
[!] Invalid option: =
[!] Invalid option: A:\tmp\P_MFT
ntfstool license expired
ntfstool license expired???
Support for compact tool (WofCompressionData)
Windows 10 introduces Windows Overlay Filtering compression for NTFS.
And there even Windows 10 "Compact Edition", where that compression is turned on by default.
To check it just run in windows 10/11:
compact.exe /c /exe:lzx c:\windows\splwow64.exe
ntfstool extract disk=1 volume=2 from="c:\windows\splwow64.exe:WofCompressedData" output="c:\splwow64.exe,compact"
Note sparse/reparse flags are set, new ADS $DATA:WofCompressedData, $REPARSE_POINT with Type "Windows Overlay" IO_REPARSE_TAG_WOF .
MFT (inode:396322) from \\.\PhysicalDrive1 > Volume:2
-----------------------------------------------------
Signature : FILE
Update Offset : 48
Update Number : 3
$LogFile LSN : 285433403226
Sequence Number : 1
Hardlink Count : 2
Attribute Offset : 56
Flags : In_use
Real Size : 936
Allocated Size : 1024
Base File Record : 0000000000000000h
Next Attribute ID : 14
MFT Record Index : 396322
Update Seq Number : 8
Update Seq Array : 00000000
Attributes:
-----------
+------------------------------------------------------------------------------------------------------+
| Id | Type | Non-resident | Length | Overview |
+------------------------------------------------------------------------------------------------------+
| 1 | $STANDARD_INFORMATION | False | 72 | File Created Time : 2020-09-02 12:49:59 |
| | | | | Last File Write Time : 2022-02-12 02:14:21 |
| | | | | FileRecord Changed Time : 2022-02-12 02:14:21 |
| | | | | Last Access Time : 2022-02-12 02:14:21 |
| | | | | Permissions : |
| | | | | read_only : 0 |
| | | | | hidden : 0 |
| | | | | system : 0 |
| | | | | device : 0 |
| | | | | normal : 0 |
| | | | | temporary : 0 |
| | | | | sparse : 1 |
| | | | | reparse_point : 1 |
| | | | | compressed : 0 |
| | | | | offline : 0 |
| | | | | not_indexed : 0 |
| | | | | encrypted : 0 |
| | | | | Max Number of Versions : 0 |
| | | | | Version Number : 0 |
+------------------------------------------------------------------------------------------------------+
| 2 | $FILE_NAME | False | 90 | Parent Dir Record Index : 396463 |
| | | | | Parent Dir Sequence Num : 1 |
| | | | | File Created Time : 2020-09-02 12:49:59 |
| | | | | Last File Write Time : 2020-09-02 12:49:59 |
| | | | | FileRecord Changed Time : 2020-09-02 12:49:59 |
| | | | | Last Access Time : 2020-09-02 12:49:59 |
| | | | | Allocated Size : 167936 |
| | | | | Real Size : 165376 |
| | | | | ------ |
| | | | | NameType : DOS & WIN32 |
| | | | | Name : splwow64.exe |
+------------------------------------------------------------------------------------------------------+
| 3 | $FILE_NAME | False | 90 | Parent Dir Record Index : 493 |
| | | | | Parent Dir Sequence Num : 1 |
| | | | | File Created Time : 2020-09-02 12:49:59 |
| | | | | Last File Write Time : 2020-09-02 17:31:19 |
| | | | | FileRecord Changed Time : 2020-09-02 12:49:59 |
| | | | | Last Access Time : 2020-09-02 12:49:59 |
| | | | | Allocated Size : 167936 |
| | | | | Real Size : 165376 |
| | | | | ------ |
| | | | | NameType : POSIX |
| | | | | Name : splwow64.exe |
+------------------------------------------------------------------------------------------------------+
| 4 | $DATA | True | 165376 | Data Size : 165376 (161.50 KiBs) |
| | | | | Flags : |
| | | | | Sparse |
| | | | | Dataruns : |
| | | | | Length: 00000030 Offset: 00000000 (S) |
| | | | | Size on disk : 0 (0.00 byte) |
+------------------------------------------------------------------------------------------------------+
| 5 | $DATA | True | 88570 | Name : WofCompressedData |
| | | | | Data Size : 88570 (86.49 KiBs) |
| | | | | Dataruns : |
| | | | | Length: 00000016 Offset: 031e33bc |
| | | | | Size on disk : 90112 (88.00 KiBs) |
+------------------------------------------------------------------------------------------------------+
| 6 | $REPARSE_POINT | False | 24 | Type : Windows Overlay |
| | | | | Unsupported reparse point type |
+------------------------------------------------------------------------------------------------------+
| 7 | $EA_INFORMATION | False | 8 | NYI attribute type |
+------------------------------------------------------------------------------------------------------+
| 8 | $EA | False | 92 | NYI attribute type |
+------------------------------------------------------------------------------------------------------+
| 9 | $LOGGED_UTILITY_STREAM | False | 8 | Binary data |
+------------------------------------------------------------------------------------------------------+
| 10 | $LOGGED_UTILITY_STREAM | False | 56 | Binary data |
+------------------------------------------------------------------------------------------------------+
There is XPRESS4K/XPRES8K/XPRESS16K/LZX compression algo. And also this tag should support for WIM files (reparse point can reference to WIM archive) - but I have no proof for it.
https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/compact-os?view=windows-11
RtlDecompressBufferEx have support for COMPRESSION_FORMAT_XPRESS_HUFF - for WIM-LZX decompressor can be found on github...
mft.record does not work without inode despite featured in help
Log:
ntfstool.x64.exe mft.record disk=2 volume=2
[!] Missing inode option. Unable to find file record.
Help:
ntfstool.x64.exe help mft
mft.record command
------------------
ntfstool.x64.exe mft.record [disk id] [volume id] (inode/from)
- Display MFT file record information and detailed attributes for selected disk, volume and inode/path
Display MFT file record for disk 0, volume 2:
> ntfstool.x64.exe mft.record disk=0 volume=2
Display MFT file record for disk 0, volume 2 and inode 5:
> ntfstool.x64.exe mft.record disk=0 volume=2 inode=5
Display MFT File record for disk 0, volume 2 and file "c:\file.bin":
> ntfstool.x64.exe mft.record disk=0 volume=2 from="c:\file.bin"
Build error
I got the following error while trying to build the tool (Debug mode, x64):
'std::shared_ptr<Buffer<PEFS_FEK>> decrypt_fek(RSA *,std::shared_ptr<Buffer>)': cannot convert argument 1 from 'const rsa_st *' to 'RSA *'
from ntfstool\Sources\Commands\command_efs.decrypt.cpp, line 172.
Environment: Windows 10, Visual Studio 2022 Community.
ntfstool for mac
楼主,你好。这款软件不是给mac用的么,但是看到发布中是x64,x86的exe格式,mac版的dmg未找到呢
Unhandled exception : Stack overflow
Hello !
The USN extraction doesn't work for me, i use the command "usn disk=1 volume=0 output=usn.dat" :
USN Journals from \.\PhysicalDrive0 > Volume:2
[+] Opening XX XXX
[+] Finding $Extend$UsnJrnl record
[+] Found in file record : 94136
[+] Data stream $J size : 3.66 GiBs (sparse)
[+] Reading $J
[+] Processing data: 7412 MB(s)
[!] Sorry, the application has crashed!
I've got this error :
Unhandled exception at 0x00007FFEBF1DDF47 (ntdll.dll) in ntfstool.x64.exe: 0xC00000FD: Stack overflow (parameters: 0x0000000000000001, 0x000000EE0EC03FD8).
Exception thrown at 0x00007FFEBF1DDF47 (ntdll.dll) in ntfstool.x64.exe: 0xC00000FD: Stack overflow (parameters: 0x0000000000000001, 0x000000EE0EC03FD8).
Unhandled exception at 0x00007FFEBF1DDF47 (ntdll.dll) in ntfstool.x64.exe: 0xC00000FD: Stack overflow (parameters: 0x0000000000000001, 0x000000EE0EC03FD8).
error is in the ntfs_mft_record.ccp file, line 25 :
MFTRecord::MFTRecord(PMFT_RECORD_HEADER pRecordHeader, MFT* mft, std::shared_ptr<NTFSReader> reader)
{
_reader = reader;
_mft = mft;
if (pRecordHeader != NULL)
{
_record = std::make_shared<Buffer<PMFT_RECORD_HEADER>>(_reader->sizes.record_size); XXX
memcpy(_record->data(), pRecordHeader, _reader->sizes.record_size);
apply_fixups(_record->data(), _record->size(), _record->data()->updateOffset, _record->data()->updateNumber);
}
}
There is a memory leak in command_bitdecrypt.cpp
In line 85 of command_bitdecrypt.cpp, you call EVP_CIPHER_CTX_new to initialize, but you call EVP_CIPHER_CTX_free to release when the decryption is complete. This will cause the decrypt_sector_fn that is continuously called during decryption to cause memory leaks
GPT NTFS Volume Not Being Identified As Such. Bad Disk or Bug?
Hello!
I'm running into a weird problem with this tool. I'm not sure if it's because of the tool or because of how I've tried [re]formatting my disks, but I wanted to make a report here and see if something was up, or if I just really broke my filesystems (or my disks...)
I am leaning toward the idea that my disks may be borked, but I'm stumped as to why all my testing and reports are so inconsistent.
Anyway -
I have a decent number of disks on my local machine, just added three new ones, all formatted as GPT and using NTFS, two of the disks are 18T raw, the third is 20T raw. I seem to only be having this issue with the 18T disks (Model ST18000NM003J-2TV102)
I've tried formatting the disks multiple ways.
- Initializing the disk through Windows 10, creating a simple NTFS partition, quick format
- After that, I wiped the disk using
pv < /dev/zero > /dev/sdbfor about 64GiB, used fdisk to create a new GPT partitioning scheme, usedmkfs.ntfswill a full zero format to create a new NTFS partition - After that, I wiped the disk again, only by deleting the partitions in gparted, and recreated an NTFS partition using gparted and a quick format
- Used
pvto zero the first few tens of GB of the disk, used Windows to reinitialize the disk and perform a quick format - Used Windows to convert the partition from NTFS to REFS and back, and performed a quick format.
Between each format or wipe & recreation, I ran through a series of tests, trying to view the MFT, volume info, partition info, defragging, and a few other "misc" non-scientific tests to validate the new partition was functional - and throughout those "tests" is where I found the inconsistencies with ntfstool.
My findings:
- chkdsk reports all three disks as healthy/no bad sectors/no bad MFT/etc
- analyzing/defragmenting using Ultimate Defrag by Distrix fails on the 18T disks
- Sysinternals NTFSInfo reports are nearly identical for all three disks (mainly, I mean, no errors)
- fsutil.exe reports for all three disks are nearly identical and no errors are reported.
- Active@ Disk Editor reports all three disks are healthy ("Volume Integrity Info" is all ✅ about Primary & Mirror entries for MFT, MFTMrr, LogFile, Volume, Root, BitMap, Boot, etc) --- BUT --- Active@ DE allows editing the boot sectors. For the 20T disk, it reports all is well with the PBS & CBS; for the 18T disks, it reports that both the PBS and CBS have invalid values in hex key
40, "Clusters per MFT record" - with a hex value ofF6- it suggests it should beF4- cross checking some of my other disks (20T and a few SSDs and some 8T HDDs) - they all haveF4for that key. - ntfstool has some weird reports for the two 18T disks when I query them using
ntfstool gpt, but things appear to be "weird" when running it with theinfoparam. Other commands like mft.*, reparse, shell, shadow - also do not work on the 18T disks
I've created a gist where I've dumped a bunch of output from ntfsinfo.
Output of ntfstool info: https://gist.github.com/jwshields/403d5b01e430108bd289bf8947325c89#file-ntfstool-info
Output of ntfstool gpt: https://gist.github.com/jwshields/403d5b01e430108bd289bf8947325c89#file-ntfstool-gpt
I've also created a screenshot of the disk management menu in windows, showing most of my disks; I've highlighted the three I'm focusing though.
Plainly, I just don't understand.
Is this a bug in ntfstool, somehow? or is there a problem with my disks?
Above, I listed a bunch of ways I attempted to format the disks, each iteration seemed to give me the same results (ie, "Invalid or non-GPT partition table" - as well as Distrix UD failures when attempting to defrag), no matter how I wiped nor created the partions.
Willing to provide any further information if needed, I'm also not attempting to look for spoonfeeding help here. If this is some weird bug, I'm more than happy to help out and give info, but if this is because my disks are bad, or my own stupidity, I'll concede without issue.
Thank you in advance, and thanks for such an awesome tool!
Suggest whether to add the ability to delete files
I'm studying the rootkit, which uses NTFS to hide files to make itself persistent, and I'm looking for a way to clear it
Crash on most operations when record cannot be found
Now, for some reason, I have this (totally normally working) partition which mft.record complains has no file record.
Trying to run ls from shell or logfile.dump results in a crash.
LogFile from \\.\PhysicalDrive0 > Volume:2
------------------------------------------
[+] Opening \\?\Volume{cb55d575-0000-0000-0000-300300000000}\
[+] Reading $LogFile record
[!] Sorry, the application has crashed!
In WinDbg:
(4d78.2a30): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
[0x0] ntfstool_x64!std::_Ptr_base<Buffer<MFT_RECORD_HEADER *> >::get + 0x1b
[0x1] ntfstool_x64!std::shared_ptr<Buffer<MFT_RECORD_HEADER *> >::operator-><Buffer<MFT_RECORD_HEADER *>,0> + 0x20
[0x2] ntfstool_x64!MFTRecord::datasize + 0x6d
[0x3] ntfstool_x64!print_logfile_records + 0x47c
[0x4] ntfstool_x64!commands::logfile::dispatch + 0x282
00007ff7`ec0a782b 488b00 mov rax,qword ptr [rax] ds:00000000`00000010=????????????????
EDIT: maybe?
Aes-cbc-128-diffuser fvek cannot be decrypted correctly
FVE Version : 2
State : ENCRYPTED
Size : 10485760000 (9.77 GiBs)
Encrypted Size : 10485759488 (9.77 GiBs)
Algorithm : AES-CBC-128-DIFFUSER
Decrypted img file data error ,Hexadecimal img file,header not is EB 52 90 4E 54 46 53 20
Support mounted volumes - for example created with VeraCrypt.
Hi,
Great tool :) Can you please modify volume selection process to allow user to select volumes created by VeraCrypt for example? VeraCrypt uses on the fly encryption so recovery process should work as on physical drive, right ? We just need a way to select them.
Thanks and have a nice day.
[Request] Provide option to interpret index record structures in a more explicit way
Dear author,
NTFS employs MFT records and index records to organize directories. Ntfstool can extract single given file from a volume, demonstrating that it fully supports interpreting index records (in an implicit way). However, when it comes to the situation of fixing a corrupted file system (where we need to check whether all the index entries are valid), it is necessary to produce more explicit results than present, to help check the index chains (especially for the layman only knowing some basic concept about NFTS such as me). In other words, what I am looking forward to is actually to find out where the B+ tree breaks step-by-step.
For example, via the option mft disk=x volume=y inode=5, I can get the understandable information of the MFT file record related to the root directory as below. However, I cannot track its sub files and subdirectories further according to this result directly because I don't know how to use the obtained 'First Entry Offset' (which is 16) to check further, and don’t know the detailed information of index nodes, whose length is 152.
| 4 | $INDEX_ROOT | False | 168 | Attribute Type : Filename |
| | | | | Collation Rule : 1 |
| | | | | Index Alloc Entry Size : 4096 |
| | | | | Cluster/Index Record : 1 |
| | | | | ----- |
| | | | | First Entry Offset : 16 |
| | | | | Index Entries Size : 152 |
| | | | | Index Entries Allocated : 152 |
| | | | | Flags : Large Index |
+------------------------------------------------------------------------------------------------------------------+
Hence, maybe a low-level but more explicit way for interpreting index records is needed. For example, an additional option for a given index buffer can be introduced as below:
ntfstool index_buffer disk=x volume=y cluster=z
where z is the starting cluster of the non-resident index record (maybe the file size is also needed), should be pointed out by a specific previous-step instruction. What’s more, as mentioned above, I want ntfstool explicitly show the detailed information of the resident index nodes when interpreting the attribute of $INDEX_ROOT and explicitly show the starting address list for all the non-resident index buffers when interpreting the attribute of $INDEX_ALLOCATION (I am not sure this statement is correct, but you, a smart man, can catch it ^_^).
As I am totally a layman, there must be some erroneous and ambiguous statement in this enhancement request. To make my request clearer, my story is that I have been working on an external 4T hard disk which had suddenly became corrupted as RAW format. Ntfstool is the most powerful tool I have found to print formatted information of various complicated NTFS binary data. With the understandable formatted text, I can focus on figuring out what happened on the hard disk whose file system is corrupted, only being required to know some basic concept about NTFS. It helps me get rid of repeatedly understand binary data and allow comparing the obtained formatted information of specific data to those of a healthy one. So far I have managed to the problem that some MFT records are dis-ordered (This problem is found with the help of ntfstool). However, the root directory is corrupted as well, and I am confused when verify the index chains. That's why I submit this enhancement request. The file record for the corrupted root directory is shown below:
MFT (inode:5) from \\.\PhysicalDrive5 > Volume:1
------------------------------------------------
Signature : FILE
Update Offset : 48
Update Number : 3
$LogFile LSN : 2099480808
Sequence Number : 5
Hardlink Count : 1
Attribute Offset : 56
Flags : In_use | Directory
Real Size : 784
Allocated Size : 1024
Base File Record : 0000000000000000h
Next Attribute ID : 16
MFT Record Index : 5
Update Seq Number : 361
Update Seq Array : 01d50000
Attribute $INDEX_ALLOCATION not foundAttributes:
-----------
+------------------------------------------------------------------------------------------------------------------+
| Id | Type | Non-resident | Length | Overview |
+------------------------------------------------------------------------------------------------------------------+
| 1 | $STANDARD_INFORMATION | False | 48 | File Created Time : 2019-06-12 22:14:38 |
| | | | | Last File Write Time : 2021-06-19 09:48:03 |
| | | | | FileRecord Changed Time : 2021-06-19 09:48:03 |
| | | | | Last Access Time : 2021-06-19 23:50:07 |
| | | | | Permissions : |
| | | | | read_only : 0 |
| | | | | hidden : 1 |
| | | | | system : 1 |
| | | | | device : 0 |
| | | | | normal : 0 |
| | | | | temporary : 0 |
| | | | | sparse : 0 |
| | | | | reparse_point : 0 |
| | | | | compressed : 0 |
| | | | | offline : 0 |
| | | | | not_indexed : 0 |
| | | | | encrypted : 0 |
| | | | | Max Number of Versions : 0 |
| | | | | Version Number : 0 |
+------------------------------------------------------------------------------------------------------------------+
| 2 | $ATTRIBUTE_LIST | False | 296 | $STANDARD_INFORMATION |
| | | | | Record Num: 0005000000000005 |
| | | | | ------ |
| | | | | $FILE_NAME |
| | | | | Record Num: 0005000000000005 |
| | | | | ------ |
| | | | | $OBJECT_ID |
| | | | | Record Num: 0005000000000005 |
| | | | | ------ |
| | | | | $SECURITY_DESCRIPTOR |
| | | | | Record Num: 000400000000cac9 |
| | | | | ------ |
| | | | | $INDEX_ROOT |
| | | | | Name : $I30 |
| | | | | Record Num: 0005000000000005 |
| | | | | ------ |
| | | | | $INDEX_ALLOCATION |
| | | | | Name : $I30 |
| | | | | Record Num: 000400000000cac9 |
| | | | | ------ |
| | | | | $BITMAP |
| | | | | Name : $I30 |
| | | | | Record Num: 000400000000cac9 |
| | | | | ------ |
| | | | | $LOGGED_UTILITY_STREAM |
| | | | | Name : $TXF_DATA |
| | | | | Record Num: 0005000000000005 |
+------------------------------------------------------------------------------------------------------------------+
| 3 | $FILE_NAME | False | 68 | Parent Dir Record Index : 5 |
| | | | | Parent Dir Sequence Num : 5 |
| | | | | File Created Time : 2019-06-12 22:14:38 |
| | | | | Last File Write Time : 2019-06-12 22:14:38 |
| | | | | FileRecord Changed Time : 2019-06-12 22:14:38 |
| | | | | Last Access Time : 2019-06-12 22:14:38 |
| | | | | Allocated Size : 0 |
| | | | | Real Size : 0 |
| | | | | ------ |
| | | | | NameType : DOS & WIN32 |
| | | | | Name : . |
+------------------------------------------------------------------------------------------------------------------+
| 4 | $OBJECT_ID | False | 16 | Object Unique ID : {663f6f9a-a036-11e9-a414-28b2bdd |
| | | | | e2834} |
+------------------------------------------------------------------------------------------------------------------+
| 5 | $INDEX_ROOT | False | 56 | Attribute Type : Filename |
| | | | | Collation Rule : 1 |
| | | | | Index Alloc Entry Size : 4096 |
| | | | | Cluster/Index Record : 1 |
| | | | | ----- |
| | | | | First Entry Offset : 16 |
| | | | | Index Entries Size : 40 |
| | | | | Index Entries Allocated : 40 |
| | | | | Flags : Large Index |
+------------------------------------------------------------------------------------------------------------------+
Usn operation error : Invalid read file size
commit: af24822
OS:Version Microsoft Windows 10 LTSC : 10.0.17763
cmd:
I:>ntfstool.x64.exe usn disk=2 volume=4 output=usn.json format=json
USN Journals from \.\PhysicalDrive2 > Volume:4
[+] Opening \?\Volume{XXXXXXX-XXXX-XXXX}
[+] Finding $Extend$UsnJrnl record
[+] Found in file record : 69279
[+] Data stream $J size : 11.16 GiBs
[+] Reading $J
[!] Invalid read file size
[+] Closing volume
Debug:
in thewhiteninja_ntfstool\Sources\NTFS\ntfs_mft_record.cpp
line: 578
std::shared_ptr extRecordHeader = _mft->record_from_number(pAttrListI->recordNumber & 0xffffffffffff);
if (is_first_data)
{
filesize_left = extRecordHeader->datasize();
is_first_data = false;
}
...
extRecordHeader->datasize(); return 0
Working with .\ntfstool.x64.exe undelete
Hi guys
is there a way to filter the results from undelete command or export the results to a .csv or .txt file without those break lines in the filename so I be able to analyze in mysql for example?
This is the results I got:
The results I need:
Thank you!
Is it possible to dump a $MFT file from a forensic image (E01)?
Hi, I didnt find anywhere but I would like to dump the information and use the other functions in a $MFT file exported from a forensic image (E01).
Is there anyway to do that? IS that a feature?
[LNK1120] Visual Studio C++ 2017 std::codecvt
Hello !
Sorry, I don't know if it is the right place for this.
I'v got a 3 Gib $J to extract but the last release version seems to be outdated (I'm talking about this : https://github.com/thewhiteninja/ntfstool/releases, oct for the last release) so impossible to extract since the issue for big f$UsnJrnl have just recently been solved.
So i try to build the project but when I try to run the project on VS 2017, I've got a lot of errors messages.
Including this one I don't manage to solve :
utils.obj : error LNK2001: unresolved external symbol " "public: static class std::locale::id std::codecvt<char16_t,char,struct _Mbstatet>::id" (?id@?$codecvt@_SDU_Mbstatet@@@std@@2V0locale@2@A)
How is it possible to fix this ?
Thank you !
Long output filename (possibly) causing hang
Firstly, great tool, really excellent, thank you!
This relates to the mft.dump function.
I've found (in some instances) that the process seems to hang, i.e. never completes. I'm not completely sure of the cause, but did note that when I specified a long filename as the output file, the hang occurred. I'm not completely set on this being the cause, as with other testing, I've been able to specify long output filenames with no issue. Please see screenshot below for an example:
program keeps crashing on record_from_path or attribute_header
hello i'm trying to use this as a library for some stuff i need however i keep noticing (maybe a race condition) a crash on record_from_number, since sometimes it happens and sometimes it doesn't but maybe i'm just doing something wrong and if so maybe you could tell me? all you have to do is run this code in a loop and after a while it will end up crashing in record_from_number
this code worked for 2 iterations then crashed, sometimes it instantly crashes sometimes after a while it's really random
while ( true ) {
for ( const auto& disk : core::win::disks::list( ) ) {
if ( !disk )
continue;
for ( const auto& volume : disk->volumes( ) ) {
if ( !volume )
continue;
const auto explorer = std::make_shared<NTFSExplorer>( volume );
if ( !explorer || !explorer->mft( ) )
continue;
const std::shared_ptr<MFTRecord> entry_rec = explorer->mft( )->record_from_path( ( R"(\$Extend\$ObjId)" ) );
if ( !entry_rec )
continue;
PMFT_RECORD_ATTRIBUTE_HEADER stdinfo_att = entry_rec->attribute_header( $STANDARD_INFORMATION );
if ( !stdinfo_att )
continue;
const auto stdinfo = POINTER_ADD( PMFT_RECORD_ATTRIBUTE_STANDARD_INFORMATION, stdinfo_att, stdinfo_att->Form.Resident.ValueOffset );
if ( !stdinfo )
continue;
printf( "%s | %p \n", volume->name( ).c_str( ), stdinfo );
}
}
}
How to import third-party libraries
Dear author,
I am newbie to C++ and know this is a question rather than a problem, but I really want to figure it out.
My plaform is on windows 10, and Visual Studio 2019 comunity is used.
What am I doing:
- Download the source codes of the four necessary third-party libraries.
- Compile these libraries, and get some .lib files such as distorm.lib, libssl_static.lib, libcrypto_static.lib.
- Copy these .lib files to a specific directory, e.g., Third-parties\Lib.
- Configure the property of the ntfstool project with VS2019. Add the above directory to the 'Additional library Directories' list, and add these obtained .lib files to the 'Aditional Dependencies' list.
- Copy all the include files of the the four libraries to a specific directory, e.g., Third-parties\Include.
- Make the ntfstool project 'Include' the directory 'Third-parties\Include' with VS2019.
- Compile the solution 'NTFS'.
However, I get some errors, such as
Error LNK2001 unresolved external symbol distorm_decode64 ntfstool E:\Code\cpp\ntfstool-master\utils.obj 1
Error LNK2019 unresolved external symbol distorm_decode64 referenced in function "void __cdecl print_jump(unsigned char * const)" (?print_jump@@YAXQEAE@Z) ntfstool E:\Code\cpp\ntfstool-master\command_vbr.obj 1
Error LNK2001 unresolved external symbol __imp_feof ntfstool E:\Code\cpp\ntfstool-master\libcrypto_static.lib(ui_openssl.obj) 1
Error LNK2019 unresolved external symbol __imp_feof referenced in function file_ctrl ntfstool E:\Code\cpp\ntfstool-master\libcrypto_static.lib(bss_file.obj) 1
Error LNK2001 unresolved external symbol __imp_ferror ntfstool E:\Code\cpp\ntfstool-master\libcrypto_static.lib(ui_openssl.obj) 1
Error LNK2019 unresolved external symbol __imp_ferror referenced in function file_read ntfstool E:\Code\cpp\ntfstool-master\libcrypto_static.lib(bss_file.obj) 1
Error LNK2001 unresolved external symbol __imp_fgets ntfstool E:\Code\cpp\ntfstool-master\libcrypto_static.lib(ui_openssl.obj) 1
Error LNK2019 unresolved external symbol __imp_fgets referenced in function file_gets ntfstool E:\Code\cpp\ntfstool-master\libcrypto_static.lib(bss_file.obj) 1
Error LNK2019 unresolved external symbol __imp_strerror_s referenced in function openssl_strerror_r ntfstool E:\Code\cpp\ntfstool-master\libcrypto_static.lib(o_str.obj) 1
Error LNK2001 unresolved external symbol __imp_strncpy ntfstool E:\Code\cpp\ntfstool-master\libcrypto_static.lib(evp_key.obj) 1
Error LNK2001 unresolved external symbol __imp_strncpy ntfstool E:\Code\cpp\ntfstool-master\libcrypto_static.lib(x509_obj.obj) 1
Error LNK2019 unresolved external symbol __imp_strncpy referenced in function win32_joiner ntfstool E:\Code\cpp\ntfstool-master\libcrypto_static.lib(dso_win32.obj) 1
Error LNK2001 unresolved external symbol __imp_strspn ntfstool E:\Code\cpp\ntfstool-master\libcrypto_static.lib(v3_asid.obj) 1
Error LNK2001 unresolved external symbol __imp_strspn ntfstool E:\Code\cpp\ntfstool-master\libcrypto_static.lib(v3_addr.obj) 1
Error LNK2019 unresolved external symbol __imp_strspn referenced in function PEM_get_EVP_CIPHER_INFO ntfstool E:\Code\cpp\ntfstool-master\libcrypto_static.lib(pem_lib.obj) 1
Error LNK2019 unresolved external symbol __imp__gmtime64_s referenced in function OPENSSL_gmtime ntfstool E:\Code\cpp\ntfstool-master\libcrypto_static.lib(o_time.obj) 1
Error LNK2001 unresolved external symbol __imp__stat64i32 ntfstool E:\Code\cpp\ntfstool-master\libcrypto_static.lib(conf_def.obj) 1
Error LNK2019 unresolved external symbol __imp__stat64i32 referenced in function file_open ntfstool E:\Code\cpp\ntfstool-master\libcrypto_static.lib(loader_file.obj) 1
Error LNK2001 unresolved external symbol __imp__strdup ntfstool E:\Code\cpp\ntfstool-master\libcrypto_static.lib(conf_lib.obj) 1
Error LNK2019 unresolved external symbol __imp__strdup referenced in function OPENSSL_config ntfstool E:\Code\cpp\ntfstool-master\libcrypto_static.lib(conf_sap.obj) 1
Error LNK2001 unresolved external symbol __imp__time64 ntfstool E:\Code\cpp\ntfstool-master\libcrypto_static.lib(a_time.obj) 1
Error LNK2001 unresolved external symbol __imp__time64 ntfstool E:\Code\cpp\ntfstool-master\libcrypto_static.lib(x509_vfy.obj) 1
Error LNK2019 unresolved external symbol __imp__time64 referenced in function RAND_DRBG_bytes ntfstool E:\Code\cpp\ntfstool-master\libcrypto_static.lib(drbg_lib.obj) 1
How can I properly import the necessary third-party libraries to the project ntfstools?
Cannot dump $LogFile
shell disk=1 volume=3
disk1:volume3:> ls
Inode | Type | Name | Size | Creation Date | Attributes
---------------------------------------------------------------------------------------------
4 | | $AttrDef | 2560 | 2021-02-18 05:45:18 | Hi Sy
8 | | $BadClus | 0 | 2021-02-18 05:45:18 | Hi Sy
| ADS | $Bad | 510905020416 | |
6 | | $Bitmap | 15591584 | 2021-02-18 05:45:18 | Hi Sy
| ADS | $SRAT | 68 | |
7 | | $Boot | 8192 | 2021-02-18 05:45:18 | Hi Sy
11 | DIR | $Extend | | 2021-02-18 05:45:18 | Hi Sy
2 | | $LogFile | 67108864 | 2021-02-18 05:45:18 | Hi Sy
0 | | $MFT | 2073034752 | 2021-02-18 05:45:18 | Hi Sy
1 | | $MFTMirr | 4096 | 2021-02-18 05:45:18 | Hi Sy
4502 | DIR | $Recycle.Bin | | 2019-12-07 10:14:52 | Hi Sy
9 | | $Secure | 0 | 2021-02-18 05:45:18 | Hi Sy
10 | | $UpCase | 131072 | 2021-02-18 05:45:18 | Hi Sy
| ADS | $Info | 32 | |
3 | | $Volume | 0 | 2021-02-18 05:45:18 | Hi Sy
154204 | DIR | $WINDOWS.~BT | | 2021-11-02 22:52:59 |
50617 | DIR | $Windows.~WS | | 2022-02-06 19:18:00 | Hi Ni
156 | DIR | $WinREAgent | | 2023-01-10 22:38:03 | Hi
mft.record disk=1 volume=3
MFT (inode:0) for \\.\PhysicalDrive1 > Volume:3
-----------------------------------------------
Signature : FILE
Update Offset : 48
Update Number : 3
$LogFile LSN : 305819962804
Sequence Number : 1
Hardlink Count : 1
Attribute Offset : 56
Flags : In use
Real Size : 888
Allocated Size : 1024
Base File Record : 0000000000000000h
Next Attribute ID : 13
MFT Record Index : 0
Update Seq Number : 1714
Update Seq Array : 01150000
Attributes:
-----------
+-------------------------------------------------------------------------------------------------------------+
| Id | Type | Non-resident | Length | Overview |
+-------------------------------------------------------------------------------------------------------------+
| 1 | $STANDARD_INFORMATION | False | 72 | File Created Time : 2021-02-18 05:45:18 |
| | Raw address: 0000c0000050h | | | Last File Write Time : 2021-02-18 05:45:18 |
| | | | | FileRecord Changed Time : 2021-02-18 05:45:18 |
| | | | | Last Access Time : 2021-02-18 05:45:18 |
| | | | | Permissions : |
| | | | | read_only : 0 |
| | | | | hidden : 1 |
| | | | | system : 1 |
| | | | | device : 0 |
| | | | | normal : 0 |
| | | | | temporary : 0 |
| | | | | sparse : 0 |
| | | | | reparse_point : 0 |
| | | | | compressed : 0 |
| | | | | offline : 0 |
| | | | | not_indexed : 0 |
| | | | | encrypted : 0 |
| | | | | Max Number of Versions : 0 |
| | | | | Version Number : 0 |
+-------------------------------------------------------------------------------------------------------------+
| 2 | $FILE_NAME | False | 74 | Parent Dir Record Index : 5 |
| | Raw address: 0000c00000b0h | | | Parent Dir Sequence Num : 5 |
| | | | | File Created Time : 2021-02-18 05:45:18 |
| | | | | Last File Write Time : 2021-02-18 05:45:18 |
| | | | | FileRecord Changed Time : 2021-02-18 05:45:18 |
| | | | | Last Access Time : 2021-02-18 05:45:18 |
| | | | | Allocated Size : 1417412608 |
| | | | | Real Size : 1417412608 |
| | | | | ------ |
| | | | | NameType : DOS & WIN32 |
| | | | | Name : $MFT |
+-------------------------------------------------------------------------------------------------------------+
| 3 | $DATA | True | 2073034752 | Size: 2073034752 (1.93 GiB) |
| | Raw address: 0000c0000140h | | | Dataruns: |
| | | | | Length: 0000c820 Offset: 000c0000 |
| | | | | Length: 000053a3 Offset: 00adb375 |
| | | | | Length: 000035fe Offset: 0055d48a |
| | | | | Length: 0000323f Offset: 0103745c |
| | | | | Length: 0000c819 Offset: 01e90c48 |
| | | | | Length: 0000c819 Offset: 06379147 |
| | | | | Length: 000027ce Offset: 05391ba4 |
| | | | | Length: 0000a4d4 Offset: 07122acc |
| | | | | Length: 000063f4 Offset: 04255ee4 |
| | | | | Length: 00000a8e Offset: 06c65c0c |
| | | | | Length: 000001ad Offset: 051b2127 |
| | | | | Length: 0000cbf2 Offset: 07166c3c |
| | | | | Length: 00002d83 Offset: 05db27f9 |
| | | | | Length: 0000406d Offset: 073cd633 |
| | | | | Length: 00000e97 Offset: 041df470 |
| | | | | Length: 00000e89 Offset: 06f2dbb7 |
| | | | | Length: 00000de1 Offset: 03cc3927 |
| | | | | Length: 00000db5 Offset: 00466aaf |
| | | | | Length: 00000dab Offset: 041a0cd9 |
| | | | | Length: 00000f95 Offset: 07315b99 |
| | | | | Length: 00004aa8 Offset: 01250b40 |
| | | | | Length: 00000ab8 Offset: 0550d6b6 |
| | | | | Length: 00000595 Offset: 012cc194 |
| | | | | Length: 000004b4 Offset: 07209d68 |
| | | | | Length: 000004ad Offset: 02fa5c78 |
| | | | | Length: 00000490 Offset: 01c4dde0 |
| | | | | Length: 00001c84 Offset: 02dac5a1 |
| | | | | Length: 00001d1a Offset: 04d84ea5 |
| | | | | Length: 00001264 Offset: 051c21b8 |
| | | | | Length: 0000003d Offset: 016a5e21 |
| | | | | Length: 0000079c Offset: 016a2164 |
| | | | | Length: 00002468 Offset: 0561ec80 |
| | | | | Length: 0000376a Offset: 04e83dd8 |
| | | | | Length: 00002b63 Offset: 05f1e700 |
| | | | | Length: 0000279c Offset: 019bcf80 |
| | | | | Length: 0000279f Offset: 0477d34c |
| | | | | Length: 00002fa3 Offset: 0707668c |
| | | | | Length: 00001551 Offset: 00dcbde8 |
| | | | | |
| | | | | Virtual size: 0 (0.00 byte) |
| | | | | Real size : 2073034752 (1.93 GiB) |
+-------------------------------------------------------------------------------------------------------------+
| 4 | $BITMAP | True | 254944 | Index Node Used : 1752184 |
| | Raw address: 0000c0000290h | | | |
+-------------------------------------------------------------------------------------------------------------+
But last but not least
logfile.dump disk=1 volume=3 output=log.log format=raw
LogFile from \\.\PhysicalDrive1 > Volume:3
------------------------------------------
[+] Opening \\?\Volume{3de295f9-1d5e-4f1d-bbce-fb5e97329559}\
[+] Reading $LogFile record
[+] $LogFile size : 64.00 MiBs
[+] Creating log.log
[!] Unable to find corresponding $DATA attribute
[+] Processing data: 0.00 byte[+] Closing volume
[+] Closing volume
I wish the tool could dump all NTFS metadata
Here was the situation when I discovered this tool:
My HDD stopped being recognized by Windows (shown as Raw). But the problem seems to be very minor. All files are still there. The HDD tools can easily show them. I want to run chkdsk to fix the filesystem, but there is a risk that it will mess up everything. I'm pretty sure it won't mess up the file contents. But it could mess up $MFT. So, I wanted to back up the whole filesystem table ($MFT and FILE records). This way I could recover the table or the files (knowing their sectors). It would be also great to compare the table before and after the repair.
I've since fixed my problem, but just wanted to leave my use case here.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.