analyzeMFT – ADS support added
The latest version of analyzeMFT is available on github. I’ve not pushed it out to Pypi and will hold off until I’m sure it is free of bugs due to this new work. The changes are:
Fixed parsing and printing of UTF-16 strings, removed unicodeHack stuff.
My original code took a brute force approach to parsing file names from the MFT records. What I did not know at the time was that they were UTF-16. While working on other things, I took the time to figure that out and replaced about 20 lines of kludge with one line of code.
Fixed printing of unicode strings to output files.
While figuring out how to read UTF-16, I figure out how to write UTF-8.
Added ADS support.
This is probably a work in progress but it seems to be working so I’ll push this out. Whenever analyzeMFT encounters a resident $DATA record, it stores a copy of the contents away for later use. If it encounters a named $DATA record, it does two things:
- A duplicate of the parent record is created and the filename is changed to be <parent filename>:<ADS filename>.
- All ADS records, parent and children, get a flag set in the new ADS column
So you might see:
| /normal.txt | Normal file |
| /file-w-ads.txt | Normal file with ADS |
| /file-w-ads.txt:adsfile.txt | The ADS file attached to file-w-ads.txt |
| /dir | Directory |
| /dir:adsdir.txt | The ADS file attached to dir |
| /file-w-large-ads.txt | Normal file with ADS |
| /file-w-large-ads.txt:largeads.txt | The (non-resident) ADS file attached to file-w-large-ads.txt |
| /file-w-2-ads.txt | Normal file with two ADS files |
| /file-w-2-ads.txt:ads1.txt | The first ADS file attached to file-w-2-ads.txt |
| /file-w-2-ads.txt:ads2.txt | The second ADS file attached to file-w-2-ads.txt |
All of the records would have a ‘Y’ in the ADS column to indicate that either they are an ADS file or they have an ADS file attached.
As always, please let me know if I broke anything….
Integriography: A Journal of Broken Locks, Ethics, and Computer Forensics 