omerbenamram
commented
5 years ago Hi @dllaboss! Thanks for checking this out.
So the first 16 (0-15) entries in the MFT are the reserved entries and are parsed correctly.
From what I've looked at those missing ones (16-23) are just a bunch of zeroes (MFT can have zeroed entries).
So mft_dump just skips those, since there is no point in trying to interpret zeroes as vaild data.
I'm really uncertain what TZWorks' parser is up to here (since they seem to report there being some data there, which is quite strange).
Is there anything else you think that is missing?
(BTW, i'm adding the ability to dump specific entry ranges (e.g mft_dump -o csv -r 1-15,30-35 MFT to facilitate these types of comparisons #9).
When comparing and contrasting the results of MFT Dump vs TZWorks' NFTSWalk64, I noticed there are missing MFT entries.
I ran MFT Dump on the MFT provided in your repo with the following syntax: mft_dump.exe -o csv -f "C:\Users\\Desktop\MFT_Testing\Test1\mftdump_test1.csv" .\MFT
The resulting CSV lists "EntryID" 0-15 then skips to 24. Where are 16-23?
When comparing this to TZWorks' CSV (tz_test.xlsx), I noticed TZWorks parsed 13,809 records, deduped to 13,074 while MFT Dump parsed 13,068, deduped to 13,053.
Can you assist me with understanding this missing data, if it is missing at all?
Thank you, D