none
How to get to last NTFS MFT record? RRS feed

  • Question

  • I am writing a utility to parse MFT in NTFS. So far I have written the code to get a 1024 byte MFT record and traverse its attributes. As far as I know that MFT starts allocating records to user files from record number 0x23 so I am looping from 0x23 to N number of records. I want to know that how to get to the last record of MFT? Is there some kind of an end marker? How do I know whether a certain record is last record so that I can stop looping through MFT records.

    Any help would be appreciated.


    Awais

    Friday, September 6, 2013 8:05 AM

Answers

  • It is quite a bit more complicated than you believe, because the MFT does not have to be contiguous and may have extents (multiple discontiguous regions spread across the disk). You first need to figure out which extent contains the FRS (File Record Segment) that you're looking for (the extents are contained in the MFT's entry for itself (entry #0 in the MFT). Hint: Every FRS starts with the word "FILE".

    Another reason why it is complicated is that everything in NTFS deals with clusters, which are an integral number of sectors, the value of which is stored in the BPB (BIOS Parameter Block).

    If you really want to parse NTFS, then you need to be able to COMPLETELY parse the first 16 entries of the MFT. I can tell you from experience that it will take some time to get this right.

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting.

    Friday, September 6, 2013 6:35 PM
    Moderator

All replies

  • It is quite a bit more complicated than you believe, because the MFT does not have to be contiguous and may have extents (multiple discontiguous regions spread across the disk). You first need to figure out which extent contains the FRS (File Record Segment) that you're looking for (the extents are contained in the MFT's entry for itself (entry #0 in the MFT). Hint: Every FRS starts with the word "FILE".

    Another reason why it is complicated is that everything in NTFS deals with clusters, which are an integral number of sectors, the value of which is stored in the BPB (BIOS Parameter Block).

    If you really want to parse NTFS, then you need to be able to COMPLETELY parse the first 16 entries of the MFT. I can tell you from experience that it will take some time to get this right.

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting.

    Friday, September 6, 2013 6:35 PM
    Moderator
  • Thanks Brian! I can see that it will take time :)

    How about getting size of MFT first and then loop till the end while parsing records on the way? For example, If my volume is 100 MB then NTFS documentation says that it will reserve minimum of 12.5 MB for MFT (Correct me if I am wrong). So how about checking all of 12800 bytes (12.5 MBs) in 1024 bytes (FRS size) chunks?


    Awais

    Friday, September 6, 2013 7:26 PM
  • The first extent of the MFT is only guaranteed to be large enough to hold 16 entries. Work on completely parsing FRS #0. Following is the FRS from my system disk (it is easier to view in a monospaced font). Note that since my system disk is an SSD there isn't a need to defragment the MFT and stick it on the middle of the disk, which is why it has so many extents.

    DiskTool 2.0.4
    Copyright 2011 Brian Catlin. All rights reserved
    Azius Cyber Forensic Training and Tools - www.azius.com

    DT> show frs 0

    Volume \\.\C:
    FRS:         0 (00000000) LBN:              6291456 (0000000000600000)
    Signature:           FILE Upd seq arr offset:  0030 Upd seq arr size:       3
    FRS sequence number:    1 FRS reference count:    1 First attr offset:     56
    Flags:               0001 First free byte:      616 Bytes available:     1024
    Base FRS:    000000000000 Next attr instance:     9 Current FRS: 000000000000
    Logfile sequence number:  00000017ea705957
    Update sequence array: 026b 0000 0000

    Offset in FRS:  56 (0038) Attribute type:  00000010 $STANDARD_INFORMATION
    Attr record length:    96 Attr form code:        00 Attr name length:       0
    Attr name offset:      24 Attr instance:          0 Attr header Flags:   0000
    Resident Attribute
    Value length:    00000048 Value offset:    00000018 Index flags:           00
    Reserved:              00
    Created:    2011-12-18 01:55:55.509       Modified:   2011-12-18 01:55:55.509
    Changed:    2011-12-18 01:55:55.509       Accessed:   2011-12-18 01:55:55.509
    File attributes: 00000006 Max versions:           0
    Txf LSN:         0000000000000000
    Owner ID:        00000000 Security ID:     00000100
    Quota charged:   0000000000000000           Update seq num:  0000000000000000

    Offset in FRS: 152 (0098) Attribute type:  00000030 $FILE_NAME
    Attr record length:   104 Attr form code:        00 Attr name length:       0
    Attr name offset:      24 Attr instance:          3 Attr header Flags:   0000
    Resident Attribute
    Value length:    0000004a Value offset:    00000018 Index flags:           01
    Reserved:              00 Parent FRS:  000000000005
    Created:    2011-12-18 01:55:55.509       Modified:   2011-12-18 01:55:55.509
    Changed:    2011-12-18 01:55:55.509       Accessed:   2011-12-18 01:55:55.509
    Alloc length:             371195904       Actual length:            371195904
    File attrs:      00000006 Reparse tag:     00000000 Name Length:            4
    Namespace flags:       03 Name: $MFT

    Offset in FRS: 256 (0100) Attribute type:  00000080 $DATA
    Attr record length:   232 Attr form code:        01 Attr name length:       0
    Attr name offset:      64 Attr instance:          1 Attr header Flags:   0000
    Non-resident Attribute
    Lowest VCN:      0        Highest VCN:        00000000000161ff
    Mapping pairs off:   0040 Compression unit:      00 Reserved:      0000000000
    Alloc length:    0000000016200000        File length:        0000000016200000
    Valid length:    0000000016200000
    Extent           VCN              LCN            Count
      0                0            c0000             4380
      1             4380           797ea4             3840
      2             7bc0           e81ef8              108
      3             7cc8           c28281             21f8
      4             9ec0           a74f51               40
      5             9f00           de5ba6              15a
      6             a05a           b77388              100
      7             a15a           b77bf4                3
      8             a15d           b77c20                2
      9             a15f           b77c23              205
     10             a364           b77e30                6
     11             a36a           b7820d               19
     12             a383           b782e1                1
     13             a384           b782c5                f
     14             a393           b782a0               24
     15             a3b7           b782e3                1
     16             a3b8           b782e5                8
     17             a3c0           b782f6                1
     18             a3c1           b78306              459
     19             a81a           b78760               10
     20             a82a           b78824                2
     21             a82c           b78888               20
     22             a84c           b7a7fb              eb4
     23             b700           b22f6b               40
     24             b740           b39d71                4
     25             b744           b39d66                1
     26             b745           b39d76                8
     27             b74d           b39d7f                1
     28             b74e           b39d91                6
     29             b754           b39da0                7
     30             b75b           b39dda                c
     31             b767           b3c0b7                2
     32             b769           b3ebaf                4
     33             b76d           b3ebd2               14
     34             b781           b3ebef               3f
     35             b7c0           8977b8                a
     36             b7ca           897540              276
     37             ba40           b75535              280
     38             bcc0           3a8820             a540


    Offset in FRS: 488 (01e8) Attribute type:  000000b0 $BITMAP
    Attr record length:   120 Attr form code:        01 Attr name length:       0
    Attr name offset:      64 Attr instance:          8 Attr header Flags:   0000
    Non-resident Attribute
    Lowest VCN:      0        Highest VCN:        000000000000000b
    Mapping pairs off:   0040 Compression unit:      00 Reserved:      0000000000
    Alloc length:    000000000000c000        File length:        000000000000b100
    Valid length:    000000000000b100
    Extent           VCN              LCN            Count
      0                0            bffff                1
      1                1            ac778                3
      2                4           70b260                1
      3                5           7cc3e4                1
      4                6           7cb0ad                1
      5                7           a97b17                1
      6                8          10d7d50                1
      7                9           2e51a0                1
      8                a           5572bf                1
      9                b           e2cfa5                1


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting.

    Friday, September 6, 2013 9:15 PM
    Moderator
  • Thanks Brian. I will surely try that but I can see that it will take time :(

    Awais

    Saturday, September 7, 2013 9:44 AM