Archive for the ‘analyzeMFT’ Category

Updated analyzeMFT now with binaries! (And the tools required to get there.)

February 19, 2010 Leave a comment

I finally figured out how to build a standalone executable after an Alice in Wonderland run through redistributable libraries, py2exe, and Windows installers. There are still some issues, but it works well for the most part. Check the Download section on

Some tools that helped me turn a Python script into something that can run on any (most?) Windows systems are:

  1. py2exe – – Read the Tutorial page for some really good help with the .dlls
  2. Dependency Walker – – A great tool for determining what modules your application depends on
  3. Inno Setup – – A very simple yet powerful tool to build installation packages
Categories: analyzeMFT

Updated analyzeMFT, $MFT sequence numbers, and NTFS documentation

February 10, 2010 Leave a comment

analyzeMFT updates:

At the request of Harlan Carvey and Rob Lee I made some changes to analyzeMFT and fixed a few bugs along the way.

  • Version 1.1: Split parent folder reference and sequence into two fields. I’m still trying to figure out the significance of the parent folder sequence number, but I’m convinced that what some documentation refers to as the parent folder record number is really two values – the parent folder record number and the parent folder sequence number.
  • Version 1.2:
    • Fixed problem with non-printable characters in filenames. Any Unicode character is legal in a filename, including newlines. This presented some problems in my output. Characters that do not render well are now converted to hex and a note is added to the Notes column indicating this.
    • Added “compile time” flag to turn off the inclusion of any GUI related modules and libraries for systems missing tk/tcl support. (Set noGUI to True in the code)
  • Version 1.3: Added new column to hold log entries relating to each record. For example, a note stating that some characters in the filename were converted to hex as they could not be printed

The code and more details are available at

Quick note on $MFT sequence numbers:

Microsoft tells us that each record in the $MFT has a FILE_RECORD_SEGMENT_HEADER Structure. Within this structure is a sequence number, defined as follows:

“This value is incremented each time that a file record segment is freed; it is 0 if the segment is not used.”

Ok, that’s pretty straightforward. At least until you look at teh first 16 entries in any $MFT as all of their sequence numbers match their record number. I’ve been told that since these files can never be deleted, repurposing the sequence number adds an additional sanity check and disaster recovery option. However, I’ve found one volume where this behavior continues for 12,000 records or more. Still looking into that one.

NTFS Documentation:

One of the best sources for NTFS documentation isn’t Microsoft, it comes from the Linux NTFS developers and is available here.

Categories: analyzeMFT Tags: , ,

analyzeMFT – a Python tool to deconstruct the Windows NTFS $MFT file

January 20, 2010 Leave a comment

Three elements combined last week to inspire me to write a tool to deconstruct the Windows NTFS $MFT file:

  1. I’ve been wanting to learn Python for quite awhile. (I found a “Learning Python” book on my shelf published in 1999.
  2. Mark Menz’s MFT Ripper started me wondering about the significance of the MFT sequence number.
  3. I’d been trying to get through the SANS 508.1 book but couldn’t bear to read about NTFS structures yet again.
  4. I wanted to start building a framework for doing more detailed timeline analysis.

So, last week I sat down and wrote  Please keep in mind that this is a novice Python programmer’s code and is definitely a work in progress. A simple project page and a link to the source can be found here.

If you have any comments, suggestions, or improvements, please do let me know. I’d like to keep building on this and making it as useful as possible.

Categories: analyzeMFT Tags: , , ,