Howdy all! Its been quite awhile since I’ve been on here… so sorry about that, but I bring some exciting updates! This post will be about a new tool called MFTAnalyzer. MFTAnalyzer is a command line tool built to parse an NTFS $MFT file, and was actually written by me!
If you want to download a copy of the tool and follow along with me during this post, feel free to download the tool here!
More about the Tool!
This tool was birthed out of issues I have with a few of the current MFT tools I use, mostly being that they wouldn’t let me search for an MFT entry by file name. This was important for me, as I was working on a case where I was told that certain files would be on a system, but was unable to locate said files. Because the $MFT is a viable source for proving a files existence, I thought that it would be valuable to have a tool that can search for files based off file name, and perhaps even return the path.
As I started developing the tool, I found myself adding more and more features, all of which have caused me to switch to this tool solely for MFT analysis. This post will go over all those features, and how to use the tool.
First Run
Upon downloading the tool, you can run it with no flags set to get a little introduction, as well as getting pointed to the -h flag.
To view the tools options, pass the -h flag, as mentioned above. This tool has 3 main flags that can be passed, with one of them being a bit special.
Note the ascii art is cut out
Basic Utilities
To simply run the tool, as mentioned, you will simply pass an $MFT file to it, with no flags. This will parse the entire MFT file, and build tables with relevant information for each entry and attribute type in the entry. This is similar to how templates in tools such as x-ways or 010 editor look.
The tool will create tables for every entry in the MFT, as well as every attribute detected in that entry. The last line returned by the program is the amount of MFT entries parsed by the tool. In this case, it was 76
On top of this, you can search for specific file entries, using either the file name, or file entry number of the entry. For example, if I ran mftanalyzer.exe $MFT -sn FILENAME, it would show me the entry for the file named FILENAME. If I ran mftanalyzer.exe $MFT -sm 41, it would should me the entry for the file with the MFT entry of 41.
Advanced Utilities
This tools shining light is the –shell flag. When passing this flag, the tool will reconstruct the filesystem from the MFT entry, and give you a shell on it, with multiple commands at your disposal.
Upon passing the help command, we can see that in the shell, we have 8 commands available, being help, ls, cat, find, tree, tree-all, dump, and clear. We already know help, so lets start by looking at ls.
Because we are in a shell on the system, if we run ls on a directory we know is on the system, we can view the files in that directory, along with the MFT entry numbers of each file in the directory.
The cat command will show the file entry for the file passed to cat. In this case, cat names.txt will display the MFT entry for names.txt.
The next command that we can use is the find command. This command will work similarly to how it does on linux systems, where if you type find FILENAME, it will return the path to the file searched.
Tree and tree-all are very similar to each other. Tree will display the file tree of a directory and its sub directories, so if you pass tree DIRECTORY, it will list the file tree from here, including all sub directories. Tree-all will show the file structure for the entire disk.
The last command that we can do, other than clear, which will clear the screen, is the dump command. The dump command is specifically useful for file carving purposes. Depending on if the file passed to dump is resident, or non resident, it will either carve the contents of the file directly from the MFT file, or it will pass the relevant information contained in the MFT file to carve the file.
Example of dumping a non-resident file.
Example of dumping a resident file
Next Steps
Now, this tools logic processing and accuracy have been verified and it is ready for use! As mentioned at the beginning of the blog, it can be downloaded here, on my github! That being said, its main hindrance at the moment is speed. This tool was written in python, and gets really slow with larger MFT files. This is currently being worked on, so keep an eye on the repo for more releases of the tool!