search

Velocidex / go-ntfs

An NTFS file parser in Go
Apache License 2.0
64 stars 23 forks source link

Request for Example: Directly Reading and Parsing Filenames from $MFT File without Copying #85

Closed hkhk368 closed 9 months ago

hkhk368 commented 9 months ago

@scudette Thank you for sharing the code of this library. As a newbie to MFT, could you write an example? I would greatly appreciate it if you could read the $MFT file directly without copying it, and then parse out the file name, file size, modified time of each file.

scudette commented 9 months ago

See the example code here https://github.com/Velocidex/go-ntfs/blob/33eadbbaf1f20b4d578b59e2d19279088cc71993/bin/mft.go#L48

This program has all the options to demonstrate how to use the library to list files, read streams etc. The other files in this directory contain many more example functions.

hkhk368 commented 9 months ago

See the example code here

https://github.com/Velocidex/go-ntfs/blob/33eadbbaf1f20b4d578b59e2d19279088cc71993/bin/mft.go#L48

This program has all the options to demonstrate how to use the library to list files, read streams etc. The other files in this directory contain many more example functions.

@scudette

Thank you very much for your prompt reply, it was very helpful. I have another question that I'd like to ask, and I'd be very grateful if you could answer it.

I used the MFT dump tool (This dump tool is provided by another library, and I am not yet clear on how the go-ntfs library dumps the MFT file of a disk.) to dump the MFT of a Z drive, and then I ran the file bin\main.go with the parameter mft --file 20231201T024827Z-Z-MFT.bin.

This successfully listed all the file information on the Z drive, but this method still requires a dump and then parsing. I still don't understand how to read and parse Z:/$MFT directly without dumping. Could you give me a specific example? How should I parse all the filenames on the Z drive directly without dumping? I would be very grateful for your help in answering this question.

scudette commented 9 months ago

You can dump $MFT directly using the ntfs.exe cat command but this is not as good as opening it from the image directly because it makes it impossible to string together the full path by walking the mft entries in reverse.

We mostly use this library inside Velociraptor so you can also look at that code: https://github.com/Velocidex/velociraptor/blob/f143b88ee50f5cf14ff55a4916e24143fe61b8a6/vql/parsers/ntfs.go

I added support to the mft code to be able to open the live drive instead of from an image in #86 so you can now just run directly on \.\c:

image