HMFT – Yet Another $MFT extractor

Posted on by

HMFT is a simple tool that extracts $MFT from a given drive or a disk image to a file in any location (including removable drive).

Extracting $MFT directly from a live system or even from an image is always a pain. Most of the tools available on the internet are GUI-driven, and GUI option is not always available (e.g. to remote users); such GUI-driven tools are also often not very ‘portable’ as they are bundled with other components and are written in a high-level language so the file size often goes to a few hundred KiBs, if not MiBs . As such, getting them on a target system may be annoying to say the least. There are of course good command line tools available as well, but they are often private, paid-only, or offering a limited functionality in its free version (not to mention the file size).

Now, don’t get me wrong – this is not to boo at other tools – they are often excellent and very useful. Also, apart from extracting $MFT they often offer a lot of other functionality e.g. parsing various file systems, extracting files by name, etc. They are just written for a different purpose.

Interestingly, the MFT extraction can be easily achieved within less than 1KB of code; HMFT is still far from an optimal size, but since it is written in X86 assembly and packed with UPX it ‘weights’ only 4KiB and I have no plans on optimizing it further. It is also quite fast and if you are lucky, extracting $MFT file should be a matter of seconds up to few minutes (it will take longer if for $MFT extracted from removable drives or if systems is under performing during the operation). HMFT reads NTFS directly and tries its best to parse its structure. It doesn’t rely on any 3rd party library, and doesn’t use commonly used FSCTL_* commands to retrieve data – it’s all plain Read/Write from the list of clusters that $MFT occupies.

Once extracted, $MFT can be parsed with analyzeMFT, mft.pl, or other scripts.

Note:

  • For images, only images of volumes (logical drives) are supported at the moment.
  • As mentioned, while parsing NTFS is a major pain in general, extracting $MFT alone is relative simple, so I hope it will work OK. Still,  if you try it and for some reason something doesn’t work, please let me know and I will try to fix it.

Usage:

hmft.exe [drive] [output filename]

f.ex.:

Download HMFT here.