mft2csv : MFT decoder, NTFS File Extracter & cmdline fileinfo dumper

This tool will decode the $MFT record for a given file. It is a combination of mft2csv and NtfsFileExtracter. That means it is a tool for quick decode and dumping of file records. It does not write any csv, but dumps the information to the console. It is very handy when testing stuff and learning NTFS, as you can do stuff to a file and get it decoded right away, without first having to extract the whole $MFT and then decode it to a csv, before importing it into Excel or something and get the actual result. MFTRCRD is therefore for quick dumping of record information for individual files, whereas mft2csv is for decoding the complete $MFT with all its records, which may be a substantial amount and timeconsuming task.
It supports both file name+path and IndexNumber (MFT record) as input (param1). One switch (param3) is for optimizing decode speed when $ATTRIBUTE_LIST is present for a given file. For most usage, set param3 as attriblist=off. That will produce faster output. Only set param3 as attriblist=on when there is an $ATTRIBUTE_LIST attribute present. Another switch (param4) is for choosing wether to hexdump resolved INDX records from the $INDEX_ALLOCATION attribute.

Attributes currently handled:
$STANDARD_INFORMATION
$ATTRIBUTE_LIST
$FILE_NAME
$OBJECT_ID
$SECURITY_DESCRIPTOR (just raw hex dump)
$VOLUME_NAME
$VOLUME_INFORMATION
$DATA
$INDEX_ROOT
$INDEX_ALLOCATION
$BITMAP (just raw hex dump)
$REPARSE_POINT
$EA_INFORMATION
$EA
$LOGGED_UTILITY_STREAM

Download In here | Read more right here

Advertisements