Corrupt MFT

[Thecondienator]

I have tried running this on many different files, and always get "Corrupt MFT Record" and similar results. Any idea why?

Thanks in advance.

[dkovar]

Greetings,

This usually indicates that the MFT was not extracted correctly. How are you getting the MFT file out of the image?

-David

On Tue, Feb 25, 2014 at 4:29 PM, Thecondienator notifications@github.comwrote:

I have tried running this on many different files, and always get "Corrupt MFT Record" and similar results. Any idea why?

Thanks in advance.

Reply to this email directly or view it on GitHubhttps://github.com/dkovar/analyzeMFT/issues/19 .

[Thecondienator]

Oh, my apologies. We misunderstood what your program does, we thought that it also extracted the MFT for us.

How do you suggest extracting the MFT? We did not see it in your README, but we apologize if we missed it.

Thanks

[Pballen]

I've used the NTFS file extractor that's part of mft2csv to great success.

[dkovar]

Greetings,

Peter's approach is quite sound. If you want an application, FTK Imager will work, as will any of the normal forensics suites.

-David

On Tue, Feb 25, 2014 at 8:37 PM, Peter Ballen notifications@github.comwrote:

I've used the NTFS file extractor that's part of mft2csv to great success.

Reply to this email directly or view it on GitHubhttps://github.com/dkovar/analyzeMFT/issues/19#issuecomment-36084896 .

[Thecondienator]

Thanks for your help! We have updated your code so that it outputs the dates in a format that is recognized by Excel. How do we propose these changes to be integrated to your repo?

I apologize for the noob question, we're very new to GitHub :(

[dkovar]

Greetings,

If you'd like, you could just send me the modified file and I'll figure out what changed. Or, you could send me a diff of the files.

-David

On Thu, Mar 13, 2014 at 12:48 PM, Thecondienator notifications@github.comwrote:

Thanks for your help! We have updated your code so that it outputs the dates in a format that is recognized by Excel. How do we propose these changes to be integrated to your repo?

I apologize for the noob question, we're very new to GitHub :(

Reply to this email directly or view it on GitHubhttps://github.com/dkovar/analyzeMFT/issues/19#issuecomment-37563867 .

[Thecondienator]

David,

The following file shows the changes we made, as well as a brief explanation. Let us know if you have different results, and we may be able to make further changes.

~Brice

On Thu, Mar 13, 2014 at 11:50 AM, dkovar notifications@github.com wrote:

Greetings,

If you'd like, you could just send me the modified file and I'll figure out what changed. Or, you could send me a diff of the files.

-David

On Thu, Mar 13, 2014 at 12:48 PM, Thecondienator notifications@github.comwrote:

Thanks for your help! We have updated your code so that it outputs the dates in a format that is recognized by Excel. How do we propose these changes to be integrated to your repo?

I apologize for the noob question, we're very new to GitHub :(

Reply to this email directly or view it on GitHub< https://github.com/dkovar/analyzeMFT/issues/19#issuecomment-37563867>

.

Reply to this email directly or view it on GitHubhttps://github.com/dkovar/analyzeMFT/issues/19#issuecomment-37564258 .

Greetings! We changed the following code in mft.py:

    if record['fncnt'] > 0 and 'si' in record:
            #filenameBuffer = [FNrecord['name'], str(record['si']['crtime'].dtstr),
            filenameBuffer = [record['filename'], str(record['si']['crtime'].dtstr),
                       record['si']['mtime'].dtstr, record['si']['atime'].dtstr, record['si']['ctime'].dtstr,
                       record['fn',0]['crtime'].dtstr, record['fn',0]['mtime'].dtstr,
                       record['fn',0]['atime'].dtstr, record['fn',0]['ctime'].dtstr]
        elif 'si' in record:
            filenameBuffer = ['NoFNRecord', str(record['si']['crtime'].dtstr),
                       record['si']['mtime'].dtstr, record['si']['atime'].dtstr, record['si']['ctime'].dtstr,
                       'NoFNRecord', 'NoFNRecord', 'NoFNRecord','NoFNRecord']
        else:
            filenameBuffer = ['NoFNRecord', 'NoSIRecord', 'NoSIRecord', 'NoSIRecord', 'NoSIRecord',
                       'NoFNRecord', 'NoFNRecord', 'NoFNRecord','NoFNRecord']

        csv_string.extend(filenameBuffer)

to:

    if record['fncnt'] > 0 and 'si' in record:
            #filenameBuffer = [FNrecord['name'], str(record['si']['crtime'].dtstr),
            filenameBuffer = [record['filename'], 
                                str('=\"'+record['si']['crtime'].dtstr+'\"'),
                                '=\"'+record['si']['mtime'].dtstr+'\"', 
                                '=\"'+record['si']['atime'].dtstr+'\"', 
                                '=\"'+record['si']['ctime'].dtstr+'\"',
                                '=\"'+record['fn',0]['crtime'].dtstr+'\"', 
                                '=\"'+record['fn',0]['mtime'].dtstr+'\"',
                                '=\"'+record['fn',0]['atime'].dtstr+'\"', 
                                '=\"'+record['fn',0]['ctime'].dtstr+'\"']
        elif 'si' in record:
            filenameBuffer = ['NoFNRecord', 
                                str('=\"'+record['si']['crtime'].dtstr+'\"'),
                                '=\"'+record['si']['mtime'].dtstr+'\"', 
                                '=\"'+record['si']['atime'].dtstr+'\"', 
                                '=\"'+record['si']['ctime'].dtstr+'\"',
                                'NoFNRecord', 'NoFNRecord', 'NoFNRecord','NoFNRecord']
        else:
            filenameBuffer = ['NoFNRecord', 'NoSIRecord', 'NoSIRecord', 'NoSIRecord', 'NoSIRecord',
                       'NoFNRecord', 'NoFNRecord', 'NoFNRecord','NoFNRecord']

        csv_string.extend(filenameBuffer)

Your original code simply output the date/times as follows: "2014-03-08 16:11:06.131943". This allowed Excel to automatically interpret the data and assign it a format. We discovered that Excel has certain triggers that will force data to be interpreted a certain way.
Our changes create the following output: "=""2014-03-08 16:11:06.131943""". This tells Excelt to interpret the data as text, and it has been working properly for us. Let us know if you find any different results.

[dkovar]

Greetings,

I added the code and put it behind a "-e" switch. Anyone wanting the existing behavior need not make any changes and anyone wanting the new behavior just needs to add that switch.

Thank you for figuring this out!

-David

On Mar 13, 2014, at 1:53 PM, Thecondienator notifications@github.com wrote:

David,

The following file shows the changes we made, as well as a brief explanation. Let us know if you have different results, and we may be able to make further changes.

~Brice

On Thu, Mar 13, 2014 at 11:50 AM, dkovar notifications@github.com wrote:

Greetings,

If you'd like, you could just send me the modified file and I'll figure out what changed. Or, you could send me a diff of the files.

-David

On Thu, Mar 13, 2014 at 12:48 PM, Thecondienator notifications@github.comwrote:

Thanks for your help! We have updated your code so that it outputs the dates in a format that is recognized by Excel. How do we propose these changes to be integrated to your repo?

I apologize for the noob question, we're very new to GitHub :(

Reply to this email directly or view it on GitHub< https://github.com/dkovar/analyzeMFT/issues/19#issuecomment-37563867>

.

Reply to this email directly or view it on GitHubhttps://github.com/dkovar/analyzeMFT/issues/19#issuecomment-37564258 .

Greetings! We changed the following code in mft.py:

if record['fncnt'] > 0 and 'si' in record:

filenameBuffer = [FNrecord['name'], str(record['si']['crtime'].dtstr),

filenameBuffer = [record['filename'], str(record['si']['crtime'].dtstr), record['si']['mtime'].dtstr, record['si']['atime'].dtstr, record['si']['ctime'].dtstr, record['fn',0]['crtime'].dtstr, record['fn',0]['mtime'].dtstr, record['fn',0]['atime'].dtstr, record['fn',0]['ctime'].dtstr] elif 'si' in record: filenameBuffer = ['NoFNRecord', str(record['si']['crtime'].dtstr), record['si']['mtime'].dtstr, record['si']['atime'].dtstr, record['si']['ctime'].dtstr, 'NoFNRecord', 'NoFNRecord', 'NoFNRecord','NoFNRecord'] else: filenameBuffer = ['NoFNRecord', 'NoSIRecord', 'NoSIRecord', 'NoSIRecord', 'NoSIRecord', 'NoFNRecord', 'NoFNRecord', 'NoFNRecord','NoFNRecord']

csv_string.extend(filenameBuffer)

to:

if record['fncnt'] > 0 and 'si' in record:

filenameBuffer = [FNrecord['name'], str(record['si']['crtime'].dtstr),

filenameBuffer = [record['filename'], str('=\"'+record['si']['crtime'].dtstr+'\"'), '=\"'+record['si']['mtime'].dtstr+'\"', '=\"'+record['si']['atime'].dtstr+'\"', '=\"'+record['si']['ctime'].dtstr+'\"', '=\"'+record['fn',0]['crtime'].dtstr+'\"', '=\"'+record['fn',0]['mtime'].dtstr+'\"', '=\"'+record['fn',0]['atime'].dtstr+'\"', '=\"'+record['fn',0]['ctime'].dtstr+'\"'] elif 'si' in record: filenameBuffer = ['NoFNRecord', str('=\"'+record['si']['crtime'].dtstr+'\"'), '=\"'+record['si']['mtime'].dtstr+'\"', '=\"'+record['si']['atime'].dtstr+'\"', '=\"'+record['si']['ctime'].dtstr+'\"', 'NoFNRecord', 'NoFNRecord', 'NoFNRecord','NoFNRecord'] else: filenameBuffer = ['NoFNRecord', 'NoSIRecord', 'NoSIRecord', 'NoSIRecord', 'NoSIRecord', 'NoFNRecord', 'NoFNRecord', 'NoFNRecord','NoFNRecord']

csv_string.extend(filenameBuffer)

Your original code simply output the date/times as follows: "2014-03-08 16:11:06.131943". This allowed Excel to automatically interpret the data and assign it a format. We discovered that Excel has certain triggers that will force data to be interpreted a certain way. Our changes create the following output: "=""2014-03-08 16:11:06.131943""". This tells Excelt to interpret the data as text, and it has been working properly for us. Let us know if you find any different results. — Reply to this email directly or view it on GitHub.