HMFT update: listing $MFT attributes

Posted on by

A few months back I released the first version of HMFT – a small utility written in x86 assembly that reads $MFT directly from a physical disk (or raw image file/DD format) and saves it to a file. Today I am releasing a new version of this tool that now can also extract $MFT metadata and print it out to the output file. It is very similar to AnalyzeMFT from David Kovar, mft.pl (wfa3e.zip) from Harlan Carvey, and fls from Sleuthkit as well as other similar utilities.

The main difference is that it is very small, fast, works on both live systems and images, and tries to parse the attributes and print out raw data in a way that includes all gore details from $MFT FILE records to help in analysis and  learning the NTFS internals.

Apart from a new functionality, I also fixed one bug – the actual $MFT FILE record was not saved to the output file in a previous version; this is now fixed.

As usual:

  • it’s a work in progress and at the moment it only supports FILE_NAME and STANDARD_INFORMATION attributes as well as data LCNs. Hopefully I will be able to add other information later on.
  • it may contain bugs so if you spot any, please do let me know and I will try to fix them.
  • any feedback is much appreciated, thanks!

Download a new version here.

Enjoy!

The new version now takes 3 arguments from a command line:

Usage:
   hmft [drive:] [-/options] [output filename]
      where options are:
      - l - enumerate $MFT and list FILE record attributes (partially implemented)
      - d - dump $MFT to a file

Examples:
   hmft -d c: c_mft.dat
   hmft -l c: c_mft_listing.dat

Example session on a 1.2GiB $MFT:

Example output:

[NTFS BOOT RECORD]
  BytesPerSector = 512
  SectorsPerCluster = 8
  MFTStartCluster = 786432
  ----------------------------------------------
  [FILE]
    SignatureD                    = 1162627398
    OffsetToFixupArrayW           = 48
    NumberOfEntriesInFixupArrayW  = 3
    LogFileSequenceNumberQ        = 99422051935
    SequenceValueW                = 1
    LinkCountW                    = 1
    OffsetToFirstAttributeW       = 56
    FlagsW                        = 1
    UsedSizeOfMFTEntryD           = 616
    AllocatedSizeOfMFTEntryD      = 1024
    FileReferenceToBaseRecordQ    = 0
    NextAttributeIdD              = 7
   --

    RESIDENT ATTRIBUTE
      AttributeTypeIdentifierD = 16
      LengthOfAttributeD       = 96
      NonResidentFlagB         = 0
      LengthOfNameB            = 0
      OffsetToNameW            = 24
      FlagsW                   = 0
      AttributeIdentifierW     = 0
      --
      SizeOfContentD          = 72
      OffsetToContentW        = 24
      --
        MFTA_STANDARD_INFORMATION
            CreationTimeQ         = 128880037529117193
            ModificationTimeQ     = 128880037529117193
            MFTModificationTimeQ  = 128880037529117193
            AccessTimeQ           = 128880037529117193
            FlagsD                = 6
            MaxNumOfVersionsD     = 0
            VersionNumberD        = 0
            ClassIdD              = 0
            OwnerIdD              = 0
            SecurityIdD           = 256
            QuotaQ                = 0
            USNQ                  = 0
            CreationTime (epoch)    = 1243530152
            ModificationTime (epoch)  = 1243530152
            MFTModificationTime (epoch)  = 1243530152
            AccessTime (epoch)           = 1243530152
   --

    RESIDENT ATTRIBUTE
      AttributeTypeIdentifierD = 48
      LengthOfAttributeD       = 104
      NonResidentFlagB         = 0
      LengthOfNameB            = 0
      OffsetToNameW            = 24
      FlagsW                   = 0
      AttributeIdentifierW     = 3
      --
      SizeOfContentD          = 74
      OffsetToContentW        = 24
      --
        MFTA_FILE_NAME
            ParentID6             = 5
            ParentUseIndexW       = 5
            CreationTimeQ         = 128880037529117193
            ModificationTimeQ     = 128880037529117193
            MFTModificationTimeQ  = 128880037529117193
            AccessTimeQ           = 128880037529117193
            CreationTime (epoch)    = 1243530152
            ModificationTime (epoch)  = 1243530152
            MFTModificationTime (epoch)  = 1243530152
            AccessTime (epoch)           = 1243530152
            AllocatedSizeQ        = 1051983872
            RealSizeQ             = 1051983872
            FlagsD                = 6
            ReparseValueD         = 0
            LengthOfNameB         = 4
            NameSpaceB            = 3
     FileName = $MFT
   --

    NON_RESIDENT ATTRIBUTE
      AttributeTypeIdentifierD = 128
      LengthOfAttributeD       = 80
      NonResidentFlagB         = 1
      LengthOfNameB            = 0
      OffsetToNameW            = 64
      FlagsW                   = 0
      AttributeIdentifierW     = 1
      --
      StartingVCNQ          = 0
      EndingVCNQ            = 293647
      OfsToRunListW         = 64
      CompressionUnitSizeW  = 0
      UnusedD               = 0
      AllocateSizeQ         = 1202782208
      ActualSizeQ           = 1202782208
      InitializedSizeQ      = 1202782208
      --
        MFTA_DATA
              len = 2
              ofs = 3
              LCN_Ofs = 786432
              LCN_Len = 17312
              len = 3
              ofs = 4
              LCN_Ofs = 16909768
              LCN_Len = 276336
              len = 0
              ofs = 0
   --

    NON_RESIDENT ATTRIBUTE
      AttributeTypeIdentifierD = 176
      LengthOfAttributeD       = 272
      NonResidentFlagB         = 1
      LengthOfNameB            = 0
      OffsetToNameW            = 64
      FlagsW                   = 0
      AttributeIdentifierW     = 6
      --
      StartingVCNQ          = 0
      EndingVCNQ            = 36
      OfsToRunListW         = 64
      CompressionUnitSizeW  = 0
      UnusedD               = 0
      AllocateSizeQ         = 151552
      ActualSizeQ           = 148896
      InitializedSizeQ      = 148896
      --
        MFTA_BITMAP
  NumOfClustersBlocks = 2
  ----------------------------------------------

Download a new version here.