dkovar
commented
10 years ago I suspect you've got a corrupted MFT but I'm happy to check. Could you send me a copy of the MFT? Thanks.
Closed TobalJackson closed 10 years ago
dkovar
commented
10 years ago I suspect you've got a corrupted MFT but I'm happy to check. Could you send me a copy of the MFT? Thanks.
TobalJackson
commented
10 years ago I've linked in my post the file at mega, but otherwise where should I send it? I can't seem to find an email address for you. I'm relatively new to GitHub as well, so I may be missing another obvious way to send the file. Additionally, I've tried on 3 different NTFS formatted drives, even preparing a "fresh" one for testing this tool on, and no dice. Should I be pulling the MFT using icat -o [fs offset]
dkovar
commented
10 years ago Greetings,
Yea, I'm not sure what the correct GitHub way to do this is either ....
Use my profile name @gmail.com.
I've not used TSK for extracting MFTs. I should go figure that out....
-David
williballenthin
commented
10 years ago Seems that if the data is non-resident, then the soff field is never set. So it doesn't make sense to try to fetch the data on line 118. I suspect this issue may crop up around other attribute types that also use the 'soff' field (SI, AttrList, FN, ObjId, and Volume Information).
TobalJackson
commented
10 years ago Does this mean that right now the tool will only work if the files accounted for in the MFT are resident data (i.e. less than 1024 bytes)?
dkovar
commented
10 years ago The current version of analyzeMFT runs without error on the MFT that you sent to me.
It does not currently do anything with a variety of attributes, or with non-resident data. For example, it does not detect ADS files as it doesn't do anything with $DATA. That is high on my to-do list.
dkovar
commented
10 years ago @williballenthin I concur. Just ran into that while parsing $DATA that is non-resident in pursuit of ADS.
dkovar
commented
10 years ago Resolved. Handling non-resident data better, and found a bad version pushed out to Pypi.
Hello there, I'm trying to make use of this tool, but I keep encountering the error:
helpdesk@helpdesk-desktop:~/research/mft_test_1$ analyzeMFT.py -f ./mft2.bin -o ./mft2_analyzed.csv Traceback (most recent call last): File "/usr/local/bin/analyzeMFT.py", line 13, in
session.process_mft_file()
File "/usr/local/lib/python2.7/dist-packages/analyzemft/mftsession.py", line 164, in process_mft_file
self.build_filepaths()
File "/usr/local/lib/python2.7/dist-packages/analyzemft/mftsession.py", line 238, in build_filepaths
record = mft.parse_record(raw_record, self.options)
File "/usr/local/lib/python2.7/dist-packages/analyzemft/mft.py", line 118, in parse_record
DataRecord = decodeDataRecord(raw_record[read_ptr+ATRrecord['soff']:])
KeyError: 'soff'
I've tried on 3 different ntfs extracted MFT's, using the command:
icat -v -o 62 /dev/sdh 0 > mft2.bin
on an NTFS formatted drive with mmls output of:
00: Meta 0000000000 0000000000 0000000001 Primary Table (#0) 01: ----- 0000000000 0000000061 0000000062 Unallocated 02: 00:00 0000000062 0000501455 0000501394 NTFS (0x07) 03: ----- 0000501456 0000501759 0000000304 Unallocated
I've uploaded the mft that i'm trying to analyze here: https://mega.co.nz/#!XYUmmIZT!fJsKXgBe4feejBSe1MH_LjO9FeFy8jD8tp4vc9Uw3U4
please let me know if my problem has to do with how I'm saving the MFT or if there is a bug in the program.
Thank you for all your hard work!