-
Notifications
You must be signed in to change notification settings - Fork 30
/
usage.txt
172 lines (152 loc) · 7.97 KB
/
usage.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
Main Wiki: https://github.com/jschicht/Mft2Csv/wiki/Mft2Csv
Usage scenarios:
For all scenarios, one must:
Select the output format. Default is set to dump as much as possible.
Select the separator, and wether quotation mark is to be surrounding the written values in the csv. Default separator is pipe ("|").
Select which timezone the timestamps should be dumped to. Default is UTC 0.00.
Select if fixups should be skipped or not. Default to off. Usually only applicable in very specific situations.
Select if $MFT should be treated as broken. Default to off. Only applicable when using $MFT file as input. Should be used when fragments of $MFT is used and $MFT is not in the first record.
Select if record slack should be scanned for older older $I30 entries.
Select if resident data or slack should be extracted. Default to off.
Select format of decoded timestamps, as well as the precision (None, MilliSec, NanoSec), and millisec/precision separator. Examples are displayed in GUI. Choose if extra timestamps are to be dumped to a seperate csv by ticking off "split csv".
A second precision seperator can also be configured to split MilliSec and NanoSec. The default is empty, that is no separation.
Select a custom error value for timestamps. The default one is compatible for import into MySql.
1. Parsing $MFT on the systemdrive from your running live system.
Detected NTFS volumes will be displayed in the second combobox from the top. If new drive is attached or mounted, click "Rescan Mounted Drives". Select target volume in the second combo.
Configure the stuff mentioned at the top.
Press "Start Processing".
2. Parsing $MFT off a volume on \\.\PhysicalDrive1 which is not mounted.
Check the dropdown in the first combo. Normally you should at least have PhysicalDrive0 in there. Optionally rescan for attached drives by clicking "Scan PhysicalDrive".
Select wanted drive in first combo. Then click "Test it". Found volumes will be populated in the second combo, and temporarily replace the mounted volumes.
When correct one chosen, confiure the rest of the necessary stuff like already explained.
Press "Start Processing".
3. Parsing an image file (of disk or partition).
Press "Choose Image" and browse to the target image.
Identified volumes will be populated into the combobox at the top. Select the target volume.
Configure the stuff mentioned at the top.
Press "Start Processing".
4. Parsing an already extracted $MFT.
Press "Choose $MFT" and browse to the target $MFT.
Configure the stuff mentioned at the top.
Press "Start Processing".
5. Parse an $MFT reconstructed from a memory dump.
Run MFTCarver on the memory dump file, and output a pseudo $MFT file.
Press "Choose $MFT" and browse to the file you just created.
Configure the stuff mentioned at the top.
Configure "Skip Fixups" according to what type of file MftCarver output.
Configure "Broken $MFT".
Press "Start Processing".
6. Extract resident data from a memory dump
Do as in example 4.
But also configure "Extract Resident". Then press "Set Extract Path" and browse to and select target output path.
Press "Start Processing".
7. Parsing $MFT directly from a shadow copy.
Press the button "Scan Shadows", and watch any found shadow copies in the top combo/drop down. Press the button "Test it" to verify it, and found volumes will be populated in the second combo, and temporarily replace the mounted volumes.
When correct one chosen, confiure the rest of the necessary stuff like already explained.
Press "Start Processing".
8. Parse a single record. Copy the record with a hex editor or use MftRcrd with the -w switch.
Press "Choose $MFT" and browse to the file you just created.
Configure the stuff mentioned at the top.
Configure "Broken $MFT".
Press "Start Processing".
Note about extracted resident data
The extracted files must obviously have the nonresident flag set to 00. Regular files and alternate data streams are supported. These can be up to about 700 bytes in size. They are extracted to their original name, but no folder structure is regenerated. To reduce the risk of overwriting files with similar filenames and to help identify where in the $MFT the file was extracted from, the $MFT offset will be prefixed to the filename like for instance:
[0x00228000]import.reg
Any deleted files will be prefixed with [DEL] like this:
[0x00228000][DEL]import.reg
Alternate data steams will have the name of the data stream prefixed with ADS_ and attached behind the original filename like:
[0x00228400][DEL]import.reg[ADS_Zone.Identifier]
Command line use
If no parameters are supplied, the GUI will by default launch. Valid switches are:
Switches:
/Volume:
Target volume in the form of c: (only Volume or MftFile should be used, not both).
/MftFile:
Input MFT file extracted (only Volume or MftFile should be used, not both)
/ExtractResidentData:
Boolean value for extracting resident data. Default is 0. Can be 0 or 1.
/ExtractResidentSlack:
Boolean value for extracting resident slack. Default is 0. Can be 0 or 1.
/OutputPath:
The output path to write all output to. Defaults to program directory.
/TimeZone:
A string value for the timezone. See notes further down for valid values.
/OutputFormat:
The output format of csv. Valid values can be l2t, BodyFile, all.
/BrokenMft:
Boolean value for handling MFT's with bad format. Default is 0. Can be 0 or 1.
/SkipFixups:
Boolean value to skip fixups. Primarily used with memory dumps. Default is 0. Can be 0 or 1.
/ScanSlack:
Boolean value for scanning record slack space for older $I30 entries ($INDEX_ROOT). Default is 0. Can be 0 or 1.
/Separator:
The separator to use in the csv. Default is |
/QuotationMark:
Boolean value for surrounding values in csv with quotes. Default is 0. Can be 0 or 1.
/Unicode:
Boolean value for decoding unicode strings. Default is 1. Can be 0 or 1.
/TSFormat:
An integer from 1 - 6 for specifying the timestamp format. Start the gui to see what they mean. Default is 6.
/TSPrecision:
What precision to use in the timestamp. Valid values are None, MilliSec and NanoSec. Default is NanoSec.
/TSPrecisionSeparator:
The separator to put in the separation of the precision. Default is ".". Start the gui to see what it means.
/TSPrecisionSeparator2:
The separator to put in between MilliSec and NanoSec in the precision of timestamp. Default is empty/nothing. Start the gui to see what it means.
/TSErrorVal:
A custom error value to put with errors in timestamp decode. Default value is '0000-00-00 00:00:00', which is compatible with MySql, and represents and invalid timestamp value for NTFS.
/SplitCsv:
Boolean value for specifying if csv is to be split. Default is 0. Can be 0 or 1.
/RecordSize:
The size of the MFT records. Valid values are 1024 and 4096. Default is 1024.
The available TimeZone's to use are:
-12.00
-11.00
-10.00
-9.30
-9.00
-8.00
-7.00
-6.00
-5.00
-4.30
-4.00
-3.30
-3.00
-2.00
-1.00
0.00
1.00
2.00
3.00
3.30
4.00
4.30
5.00
5.30
5.45
6.00
6.30
7.00
8.00
8.45
9.00
9.30
10.00
10.30
11.00
11.30
12.00
12.45
13.00
14.00
Examples:
Mft2Csv.exe /MftFile:c:\temp\$MFT /TimeZone:2.00 /RecordSize:4096 /ExtractResidentData:1 /TSFormat:1 /TSPrecision:MilliSec /Unicode:1 /ScanSlack:1
Mft2Csv.exe /MftFile:c:\temp\$MFT /TimeZone:2.00 /RecordSize:4096 /ExtractResidentData:1 /ExtractResidentSlack:1 /TSFormat:1 /TSPrecision:MilliSec /Unicode:1 /ScanSlack:1
Mft2Csv.exe /MftFile:c:\temp\$MFT /TimeZone:-10.00 /RecordSize:4096 /ExtractResident:1 /TSFormat:4 /TSPrecision:NanoSec /Unicode:1
Mft2Csv.exe /Volume:e: /TimeZone:3.00 /RecordSize:4096 /TSFormat:1 /TSPrecision:MilliSec
Mft2Csv.exe /Volume:e: /TSFormat:2 /TSPrecision:None
Mft2Csv.exe /MftFile:c:\temp\$MFT /ExtractResident:1 /OutputPath:c:\temp\MftOutput
Mft2Csv.exe /MftFile:c:\temp\$MFT /TSPrecision:NanoSec /ScanSlack:1 /OutputPath:c:\temp\MftOutput
Mft2Csv.exe /MftFile:c:\temp\Record_c_67.bin
Last example is a basic that uses common defaults that work out just fine in most cases. Also compatible with MySql imports.