{"id":869,"date":"2012-04-16T13:41:10","date_gmt":"2012-04-16T13:41:10","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=869"},"modified":"2012-04-16T15:12:54","modified_gmt":"2012-04-16T15:12:54","slug":"hmft-yet-another-mft-extractor","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2012\/04\/16\/hmft-yet-another-mft-extractor\/","title":{"rendered":"HMFT &#8211; Yet Another $MFT extractor"},"content":{"rendered":"<p>HMFT is a simple tool that extracts $MFT from a given drive or a disk image to a file in any location (including removable drive).<\/p>\n<p>Extracting $MFT directly from a live system or even from an image is always a pain. Most of the tools available on the internet are GUI-driven, and GUI option is not always available (e.g. to remote users); such GUI-driven tools are also often not very &#8216;portable&#8217; as they are bundled with other components and are written in a high-level language so the file size often goes to a few hundred KiBs, if not MiBs . As such, getting them on a target system may be annoying to say the least. There are of course good command line tools available as well, but they are often private, paid-only, or offering a limited functionality in its free version (not to mention the file size).<\/p>\n<p>Now, don&#8217;t get me wrong &#8211; this is not to boo at other tools &#8211; they are often excellent and very useful. Also, apart from extracting $MFT they often offer a lot of other functionality e.g. parsing various file systems, extracting files by name, etc. They are just written for a different purpose.<\/p>\n<p>Interestingly, the MFT extraction can be easily achieved within less than 1KB of code; HMFT is still far from an optimal size, but since it is written in X86 assembly and packed with UPX it &#8216;weights&#8217; only 4KiB and I have no plans on optimizing it further. It is also quite fast and if you are lucky, extracting $MFT file should be a matter of seconds up to few minutes (it will take longer if for $MFT extracted from removable drives or if systems is under performing during the operation). HMFT reads NTFS directly and tries its best to parse its structure. It doesn&#8217;t rely on any 3rd party library, and doesn&#8217;t use commonly used FSCTL_* commands to retrieve data &#8211; it&#8217;s all plain Read\/Write from the list of clusters that $MFT occupies.<\/p>\n<p>Once extracted, $MFT can be parsed with <a href=\"http:\/\/www.integriography.com\/\">analyzeMFT<\/a>, <a href=\"https:\/\/code.google.com\/p\/winforensicaanalysis\/downloads\/detail?name=mft.pl\">mft.pl<\/a>, or other scripts.<\/p>\n<p>Note:<\/p>\n<ul>\n<li>For images, only images of volumes (logical drives) are supported at the moment.<\/li>\n<li>As mentioned, while parsing NTFS is a major pain in general, extracting $MFT alone is relative simple, so I hope it will work OK. Still,\u00a0 if you try it and for some reason something doesn&#8217;t work, please let me know and I will try to fix it.<\/li>\n<\/ul>\n<p>Usage:<\/p>\n<p style=\"padding-left: 30px;\">hmft.exe [drive] [output filename]<\/p>\n<p>f.ex.:<\/p>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/04\/hmft.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-medium wp-image-870\" title=\"hmft\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/04\/hmft-300x185.png\" alt=\"\" width=\"300\" height=\"185\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/04\/hmft-300x185.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/04\/hmft-80x50.png 80w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/04\/hmft.png 516w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>Download <a href=\"https:\/\/hexacorn.com\/download.php?f=hmft.exe\">HMFT<\/a> here.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>HMFT is a simple tool that extracts $MFT from a given drive or a disk image to a file in any location (including removable drive). Extracting $MFT directly from a live system or even from an image is always a &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2012\/04\/16\/hmft-yet-another-mft-extractor\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[20,5],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/869"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=869"}],"version-history":[{"count":7,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/869\/revisions"}],"predecessor-version":[{"id":877,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/869\/revisions\/877"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=869"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=869"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=869"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}