changelog.txt

Mft2Csv changelog

v2.0.0.51
Fixed bugs that could cause an application crash during the resolving of paths.
Fixed a bug that would cause an application crash with extremely large $MFT's.
Fixed a bug that would cause failed parsing when input was an extracted $MFT file and record 0 contained a non-resident attribute list. A warning is now instead printed about the decode of record 0 being incomplete.

v2.0.0.50
Fixed a bug that caused an app crash on certain corrupt input.
Changes to log2timeline output.

v2.0.0.49
Changed default configuration of unicode to 1.

v2.0.0.48
Fized bug with two uninitialized variables in command line mode.
Fixed a bug with resolved path for deleted items.
Fixed a bug that in some cases caused FilePaths for hard links to be incomplete.

v2.0.0.47
Fixed bug relating to the skipfixup feature.
Added missing mask for directory on file permission decode. 

v2.0.0.46
Fixed minor bug where chosen configuration was not written to the log file.
Fixed minor visual issue where progress bar was not completed at end of parsing.

v2.0.0.45
Fixed a bug where the column headers were missing.
Fixed a bug that caused inconsistent file encoding.
Simplified the handling of file handles and file names.
Removed timestamps from output files in order to simplify and keep only 1 output path timestamp.
Version verified with AutoIt v3.3.16.0.

v2.0.0.44
Added support for large sized clusters (+64k).
Added decode of certain $EA values like $CI.CATALOGHINT.
Added some translation for WOF type $REPARSE_POINT.
Added full decode of $REPARSE_POINT type APPEXECLINK, including a separate output.
Removed duplicated last entry in file mode.
Added missing DT_Datarun field in Mft-schema.sql.
Added full decode of all $DATA attributes to separate output (earlier version covered up to 3).
Changed logic for interpreting header flags (file, folder, deleted etc). Changes in HEADER_Flags field.
Minor changes in decode of file attributes.
Minor changes in the decode of volume info flags.
Fixed wrong permission on sharing in CreateFile with direct access on shadow copies and read-only mounted volumes.
Removal of unused variables and some reshuffling of code for readability.
GUI bugfixes and various improvements.
Moved compiled exe's to release packages.
Changed license to MIT.

v2.0.0.43
Added option to extract slack. Related changes in commandline. see readme.
Added new column for datarun in output ($DATA for files and $I30 for directories).
Added new output for $INDEX_ROOT/$I30, including parsing of slack. 
Fixed a bug with resident extract and overwrite in output with similar names.

v2.0.0.42
Fixed bug in CTimeTest.

v2.0.0.41
Implemented new subdirectory in output directory for all output.
Added decode of $LOGGED_UTILITY_STREAM attribute into 2 new csv files.
Fixed a bug that caused a program crash when running in commandline mode and input file was a single extracted record.
Removed RequireAdmin from program manifest as it is not needed when run on already extracted $MFT, single extracted records or image files.

v2.0.0.40
Added missing reparse tags.
Added complete decode of $REPARSE_POINT attribute into a separate csv.
Added complete decode of $EA attribute into a separate csv.

v2.0.0.39
Moved the import sql files into the new import-sql sub directory so that compilation works with the project as is.

v2.0.0.38
Fixed bug that caused detection of symbolic links to shadow copies to fail under certain situations.

v2.0.0.37
Added separate csv for $ObjectId attribute decodes.
Added break down of GUID/UUID as found in $ObjectId attribute and $O index of $ObjId, according to RFC 4122 (https://www.ietf.org/rfc/rfc4122.txt). That among other things includes timestamp.
Added MySql schema and import sql for Mft-ObjectId-Entries_<timestamp>.csv to MFT_OBJECTID table.

v2.0.0.36
Added automatic postfix of .empty extension on empty csv's.
Added MySql schema and import sql for Mft-Slack-I30-Entries_<timestamp>.csv to MFT_Carved_I30 table.

v2.0.0.35
Added option to specify output directory for all output. Button text changed from "Set Extract Path" to "Set Output Path".
Added information to debug.log when attributes $FILE_NAME and $DATA are not decoded (will only decode first 4 and 3 respectively).
Changed name of main output csv from MftDump_ to Mft_
Added slackspace decoder for Recycle bin's $I files.
Fixed the output csv's of the slack decoder not being written when in commandline mode.
Changed default table name from mft2csv to mft in the database schema.
Slight name change of the output csv's from slack decoder.

v2.0.0.34
Added new feature for scanning record slack space for traces of old $I30 entries ($INDEX_ROOT).

v2.0.0.33
Suppressed background console when launching gui.
Compiled binaries with latest version 3.3.14.2.

v2.0.0.32
Fixed minor bug that caused timestamp precision 2 and timestamp error val not to be re-read at each call to _Main.

v2.0.0.31
Changed file encoding to utf8 with BOM, when unicode configured. The previous ucs2 would not import into MySql.
Added auto generated sql file with correct settings for import of csv.

v2.0.0.30
Added option to specify a second precision separator, to be used as separation between MilliSec and NanoSec.
Added option to specify a custom error value for invalid timestamps, or incorrectly decoded timestamps.
Added 2 sql's for database schema and import of data, along with instructions for how to import the csv into a MySql database.

v2.0.0.29
Fixed bug that caused very large extracted MFT's with size beyond dword to only get parts of it parsed.
Added powershell script to help splitting very large csv's into smaller ones.

v2.0.0.28
Added commandline support.

v2.0.0.27
Fixed incorrect decode of GUID's, relevant for $OBJECT_ID.

v2.0.0.26
Main output csv increased with 4 variables:
Added missing decode of "Quota Charged" in $STANDARD_INFORMATION attribute.
Added missing decode of "EaSize" in $FILE_NAME attribute (for 3 $FILE_NAME attribute).
Fixed bug resolving $FILE_NAME flags in $FILE_NAME attribute 1+.

v2.0.0.25
Fixed bug that missed check for SkipFixups configuration.

v2.0.0.24
Added option to set millisec/precision separator in order to make timestamps Excel friendly.

v2.0.0.23
Fixed an incorrect header name in the bodyfile output from crtime to rtime.

v2.0.0.22
Fixed bug introduced in previous version 2.0.0.21 where clusters to keep across dataruns was incorrect (split MFT records).

v2.0.0.21
Fixed bug when $MFT itself contained an $ATTRIBUTE_LIST. 
Fixed bug with handling records that was split across dataruns. 
Increased initialization size of array for runs and vcns which caused it to crash with extreme fragmentation.

v2.0.0.20
Fixed bug that caused chosen date/time format to always be set to 2.

v2.0.0.19
Fixed incorrectly reported offsets of records.

v2.0.0.18
Added complete support for MFT record size of 4096.

v2.0.0.17
Fixed a unicode related bug that caused the last character to be incorrect when the character was of 2 bytes.

v2.0.0.16
Added unicode support.

v2.0.0.15
Fixed a bug where file paths for certain deleted objects got wrong.

v2.0.0.13
Fixed bug that prevented single records containing $ATTRIBUTE_LIST (Broken $MFT configured) to be decoded.

v2.0.0.12
Added support for parsing $MFT directly from within shadow copies. 
Fixed tiny bug that caused FilePath to have 1 erronous character prefixed for all values.

v2.0.0.11
Fixed bug when handling old NT Style records. 
Added separate variable to indicate the old NT Style recordss, and put a predicted MFT ref into the original MFT record number variable. 
Added options to specify timestamp formats and level of precision. Was added for easier working/sorting of data in spreadsheets. 
Added sample output in gui to show what the timestamp format would look like. All timestamp variables are now split into 3. 1 original, and then 1 core containing the timestamp without precision, and 1 timestamp precision variable conatining only the precision depending on the configuration chosen (None, MilliSec, or MilliSec+NanoSec). 
Added an option to dump these new split timestamp variables to a separate csv, by ticking off the "split csv" option. 
Removed option to set csv, and replaced with a standard one in current directory identified with a timestamp in the csv file name.

v2.0.0.10
Fixed bug when resolving certain filepaths from an extracted MFT file, when MFT had been fragmented. 
Changed default separator to | (pipe), which is invalid for filenames. 
Removed quotes on as default. 
Removed annoying UTC comment information at the top of csv.

v2.0.0.8
Fixed a bug that caused file paths to be resolved incorrectly with certain fragmented MFT's. 
Slightly changed how the header flags are interpreted. 
Added support for accessing \\PhysicalDriveN directly, and thus removed any requirement for having volumes mounted.

v2.0.0.7
Fixed incorrect default value for Bytes Per Cluster when using $MFT file as input (caused some crashes).

v2.0.0.6
Fixed bug when handling attribute lists and broken $MFT file as input.

v2.0.0.5
Added functionality to optionally extract all resident data.

v2.0.0.4
Added functionality to parse broken $MFT. 
Added option to skip fixups.

v2.0.0.3
Fixed crash on certain MFT's with specific invalid records. 
Added option to choose separator, and if surrounding quotes. 
Removed decode of filename attribute number 4, as well as the invalid name variable.

v2.0.0.2
Speed improvement by 30 %. 
Fixed bug where some columns was missing in csv with the All format.

v2.0.0.1
Added support for choosing output format (all/default, log2timeline, bodyfile)

v2.0.0.0
Fixed bug that caused csv to be messed up when there where commas in filename. 
New features include support disk and partition images, live system analysis, logfile writer, nicer gui, paths resolved, option to choose any UTC region.

v1.0.0.10
Fixed old NT style records to reflect the text "NT style" in place of MFT reference.

v1.9
Added decode of hardlinks as specified in the record header. 
Corrected base record to properly reflect 6 bytes, and added new variable as base record sequence number for the last 2 bytes of this 8 byte MFT base reference. 
Fixed the HEADER_LSN and SI_USN to be specified in decimal (consistent views in Excel). 
Fixed missing clearing of 9 global variables.

v1.8
Changed the progress updating to use AdlibRegister, which increase performance.

v1.7
Removed the record slack option as it was not working. 
Fixed compilation issues on recent AutoIt version. 
Fixups was implemented in the previous version I believe.

v1.5
Changed record signature detection to:
46494C45 = GOOD (although FILE is strictly speaking the correct one)
44414142 = BAAD
00000000 = ZERO
all other = UNKNOWN

Added header flag interpretation:
0x9 = FILE+INDEX_SECURITY (ALLOCATED)
0xD = FILE+INDEX_OTHER (ALLOCATED)

Fixed crash on decoding of certain corrupt $MFT, by skipping decode of those records.

v1.4
Fixed a bug in the record signature evaluation. 
Added csv entry for record signature evaluation. 
Added record integrity check by comparing the Update Sequence number to the record page end markers (2 bytes at 2 places). 
Some other cosmetic changes.

v1.3
Added nanoseconds to the datetime variables. 
Changed default datetime format to "YYYY-MM-DD HH:MM:SS:MSMSMS:NSNSNSNS". 
MSecTest changed to evaluate the last 7 digits (msec + nsec). 64-bit support.

v1.2
Fixed timestamps where a 0 was erronously put in before the milliseconds. 
Modified version Ascend4nt's (_WinTimeFunctions1.au3) UDF is attached (where the error originated from). 
Also added an option to choose before processing whether to set timestamps in UTC or local time.

v1.1
Fixed a mixup of ContinueLoop with ContinueCase in the main record processing loop. The error lead to an infinite loop when ADS was more than 3 or $FILE_NAME more than 4 per file. 
Added a new variable to the csv as the file size (FileSizeBytes). Basically it is the $DATA size, but I thought it was better to have the file size put into one place instead of spread across two (resident vs non-resident). This is only for the first $DATA attribute.