{"id":1322,"date":"2012-09-29T18:12:48","date_gmt":"2012-09-29T18:12:48","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=1322"},"modified":"2012-09-29T18:46:07","modified_gmt":"2012-09-29T18:46:07","slug":"hmft-update-listing-mft-attributes","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2012\/09\/29\/hmft-update-listing-mft-attributes\/","title":{"rendered":"HMFT update: listing $MFT attributes"},"content":{"rendered":"<p>A few months back I released the first version of <a title=\"HMFT \u2013 Yet Another $MFT extractor\" href=\"https:\/\/www.hexacorn.com\/blog\/2012\/04\/16\/hmft-yet-another-mft-extractor\/\">HMFT<\/a> &#8211; a small utility written in x86 assembly that reads $MFT directly from a physical disk (or raw image file\/DD format) and saves it to a file. Today I am releasing a new version of this tool that now can also extract $MFT metadata and print it out to the output file. It is very similar to <a href=\"http:\/\/www.integriography.com\/\">AnalyzeMFT<\/a> from David Kovar, <a href=\"https:\/\/code.google.com\/p\/winforensicaanalysis\/downloads\/list\">mft.pl<\/a> (wfa3e.zip) from Harlan Carvey, and <a href=\"http:\/\/www.sleuthkit.org\/sleuthkit\/man\/fls.html\">fls<\/a> from Sleuthkit as well as other similar utilities.<\/p>\n<p>The main difference is that it is very small, fast, works on both live systems and images, and tries to parse the attributes and print out raw data in a way that includes all gore details from $MFT FILE records to help in analysis and\u00a0 learning the NTFS internals.<\/p>\n<p>Apart from a new functionality, I also fixed one bug &#8211; the actual $MFT FILE record was not saved to the output file in a previous version; this is now fixed.<\/p>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/09\/hmft0_2_2.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-medium wp-image-1335\" title=\"hmft0_2_2\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/09\/hmft0_2_2-300x136.png\" alt=\"\" width=\"300\" height=\"136\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/09\/hmft0_2_2-300x136.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/09\/hmft0_2_2.png 633w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>As usual:<\/p>\n<ul>\n<li>it&#8217;s a work in progress and at the moment it only supports FILE_NAME and STANDARD_INFORMATION attributes as well as data LCNs. Hopefully I will be able to add other information later on.<\/li>\n<li>it may contain bugs so if you spot any, please do let me know and I will try to fix them.<\/li>\n<li>any feedback is much appreciated, thanks!<\/li>\n<\/ul>\n<p>Download a new version <a href=\"https:\/\/hexacorn.com\/download.php?f=hmft.exe\">here<\/a>.<\/p>\n<p>Enjoy!<\/p>\n<p>The new version now takes 3 arguments from a command line:<\/p>\n<pre>Usage:\r\n\u00a0\u00a0 hmft [drive:] [-\/options] [output filename]\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 where options are:\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 - l - enumerate $MFT and list FILE record attributes (partially implemented)\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 - d - dump $MFT to a file\r\n\r\nExamples:\r\n\u00a0\u00a0 hmft -d c: c_mft.dat\r\n\u00a0\u00a0 hmft -l c: c_mft_listing.dat<\/pre>\n<p>Example session on a 1.2GiB $MFT:<\/p>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/09\/hmft0_2_1.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-medium wp-image-1324\" title=\"hmft0_2_1\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/09\/hmft0_2_1-275x300.png\" alt=\"\" width=\"275\" height=\"300\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/09\/hmft0_2_1-275x300.png 275w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/09\/hmft0_2_1.png 869w\" sizes=\"(max-width: 275px) 100vw, 275px\" \/><\/a><\/p>\n<p>Example output:<\/p>\n<pre>[NTFS BOOT RECORD]\r\n\u00a0 BytesPerSector = 512\r\n\u00a0 SectorsPerCluster = 8\r\n\u00a0 MFTStartCluster = 786432\r\n\u00a0 ----------------------------------------------\r\n\u00a0 [FILE]\r\n\u00a0\u00a0\u00a0 SignatureD\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 1162627398\r\n\u00a0\u00a0\u00a0 OffsetToFixupArrayW\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 48\r\n\u00a0\u00a0\u00a0 NumberOfEntriesInFixupArrayW\u00a0 = 3\r\n\u00a0\u00a0\u00a0 LogFileSequenceNumberQ\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 99422051935\r\n\u00a0\u00a0\u00a0 SequenceValueW\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 1\r\n\u00a0\u00a0\u00a0 LinkCountW\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 1\r\n\u00a0\u00a0\u00a0 OffsetToFirstAttributeW\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 56\r\n\u00a0\u00a0\u00a0 FlagsW\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 1\r\n\u00a0\u00a0\u00a0 UsedSizeOfMFTEntryD\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 616\r\n\u00a0\u00a0\u00a0 AllocatedSizeOfMFTEntryD\u00a0\u00a0\u00a0\u00a0\u00a0 = 1024\r\n\u00a0\u00a0\u00a0 FileReferenceToBaseRecordQ\u00a0\u00a0\u00a0 = 0\r\n\u00a0\u00a0\u00a0 NextAttributeIdD\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 7\r\n\u00a0\u00a0 --\r\n\r\n\u00a0\u00a0\u00a0 RESIDENT ATTRIBUTE\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 AttributeTypeIdentifierD = 16\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 LengthOfAttributeD\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 96\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 NonResidentFlagB\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 LengthOfNameB\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 OffsetToNameW\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 24\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 FlagsW\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 AttributeIdentifierW\u00a0\u00a0\u00a0\u00a0 = 0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 --\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 SizeOfContentD\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 72\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 OffsetToContentW\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 24\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 --\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 MFTA_STANDARD_INFORMATION\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 CreationTimeQ\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 128880037529117193\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ModificationTimeQ\u00a0\u00a0\u00a0\u00a0 = 128880037529117193\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 MFTModificationTimeQ\u00a0 = 128880037529117193\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 AccessTimeQ\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 128880037529117193\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 FlagsD\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 6\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 MaxNumOfVersionsD\u00a0\u00a0\u00a0\u00a0 = 0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 VersionNumberD\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ClassIdD\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 OwnerIdD\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 SecurityIdD\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 256\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 QuotaQ\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 USNQ\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 CreationTime (epoch)\u00a0\u00a0\u00a0 = 1243530152\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ModificationTime (epoch)\u00a0 = 1243530152\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 MFTModificationTime (epoch)\u00a0 = 1243530152\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 AccessTime (epoch)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 1243530152\r\n\u00a0\u00a0 --\r\n\r\n\u00a0\u00a0\u00a0 RESIDENT ATTRIBUTE\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 AttributeTypeIdentifierD = 48\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 LengthOfAttributeD\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 104\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 NonResidentFlagB\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 LengthOfNameB\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 OffsetToNameW\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 24\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 FlagsW\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 AttributeIdentifierW\u00a0\u00a0\u00a0\u00a0 = 3\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 --\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 SizeOfContentD\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 74\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 OffsetToContentW\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 24\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 --\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 MFTA_FILE_NAME\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ParentID6\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 5\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ParentUseIndexW\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 5\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 CreationTimeQ\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 128880037529117193\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ModificationTimeQ\u00a0\u00a0\u00a0\u00a0 = 128880037529117193\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 MFTModificationTimeQ\u00a0 = 128880037529117193\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 AccessTimeQ\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 128880037529117193\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 CreationTime (epoch)\u00a0\u00a0\u00a0 = 1243530152\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ModificationTime (epoch)\u00a0 = 1243530152\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 MFTModificationTime (epoch)\u00a0 = 1243530152\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 AccessTime (epoch)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 1243530152\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 AllocatedSizeQ\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 1051983872\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 RealSizeQ\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 1051983872\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 FlagsD\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 6\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ReparseValueD\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 LengthOfNameB\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 4\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 NameSpaceB\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 3\r\n\u00a0\u00a0\u00a0\u00a0 FileName = $MFT\r\n\u00a0\u00a0 --\r\n\r\n\u00a0\u00a0\u00a0 NON_RESIDENT ATTRIBUTE\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 AttributeTypeIdentifierD = 128\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 LengthOfAttributeD\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 80\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 NonResidentFlagB\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 1\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 LengthOfNameB\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 OffsetToNameW\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 64\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 FlagsW\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 AttributeIdentifierW\u00a0\u00a0\u00a0\u00a0 = 1\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 --\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 StartingVCNQ\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 EndingVCNQ\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 293647\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 OfsToRunListW\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 64\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 CompressionUnitSizeW\u00a0 = 0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 UnusedD\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 AllocateSizeQ\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 1202782208\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 ActualSizeQ\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 1202782208\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 InitializedSizeQ\u00a0\u00a0\u00a0\u00a0\u00a0 = 1202782208\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 --\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 MFTA_DATA\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 len = 2\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ofs = 3\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 LCN_Ofs = 786432\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 LCN_Len = 17312\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 len = 3\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ofs = 4\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 LCN_Ofs = 16909768\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 LCN_Len = 276336\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 len = 0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ofs = 0\r\n\u00a0\u00a0 --\r\n\r\n\u00a0\u00a0\u00a0 NON_RESIDENT ATTRIBUTE\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 AttributeTypeIdentifierD = 176\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 LengthOfAttributeD\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 272\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 NonResidentFlagB\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 1\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 LengthOfNameB\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 OffsetToNameW\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 64\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 FlagsW\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 AttributeIdentifierW\u00a0\u00a0\u00a0\u00a0 = 6\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 --\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 StartingVCNQ\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 EndingVCNQ\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 36\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 OfsToRunListW\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 64\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 CompressionUnitSizeW\u00a0 = 0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 UnusedD\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 AllocateSizeQ\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 151552\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 ActualSizeQ\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 148896\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 InitializedSizeQ\u00a0\u00a0\u00a0\u00a0\u00a0 = 148896\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 --\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 MFTA_BITMAP\r\n\u00a0 NumOfClustersBlocks = 2\r\n\u00a0 ----------------------------------------------<\/pre>\n<p>Download a new version <a href=\"https:\/\/hexacorn.com\/download.php?f=hmft.exe\">here<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A few months back I released the first version of HMFT &#8211; a small utility written in x86 assembly that reads $MFT directly from a physical disk (or raw image file\/DD format) and saves it to a file. Today I &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2012\/09\/29\/hmft-update-listing-mft-attributes\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[15,19,20,9,5],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/1322"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=1322"}],"version-history":[{"count":12,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/1322\/revisions"}],"predecessor-version":[{"id":1330,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/1322\/revisions\/1330"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=1322"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=1322"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=1322"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}