EricZimmerman
MFT extraction from HarddiskVolume
Tools like MFTECmd are really useful when something goes wrong with MFT. Unfortunately, MFTECmd seems to access MFT via MFT, which is not quite reliable.
It's pretty easy to get physical address of the $MFT and $MFTMirr files. Using raw disk/volume access instead of file-based access would make the tool more robust.
Log:
MFTECmd.exe -f "P:\$MFT"
MFTECmd version 1.2.1.0
Author: Eric Zimmerman ([email protected])
https://github.com/EricZimmerman/MFTECmd
Command line: -f P:\$MFT
Error opening file P:\$MFT. Does it exist? Error: Object reference not set to an instance of an object. Exiting
System.NullReferenceException: Object reference not set to an instance of an object.
at DiscUtils.Streams.SparseStream.SparseWrapperStream.get_CanRead()
at DiscUtils.Streams.BlockCacheStream..ctor(SparseStream toWrap, Ownership ownership, BlockCacheSettings settings)
at DiscUtils.Ntfs.Bitmap..ctor(Stream stream, Int64 maxIndex)
at DiscUtils.Ntfs.ClusterBitmap..ctor(File file)
at DiscUtils.Ntfs.NtfsFileSystem..ctor(Stream stream)
at RawCopy.Helper.VerifyFileSystemOpen(String path)
at RawCopy.Helper.RawFileExists(String path)
at RawCopy.Helper.GetRawFiles(List`1 fileNames, Boolean dedupe)
at MFTECmd.Program.GetFileType(String file)
Did you use cmd, or PowerShell, to run that command?
How would you go about locating the physical location of the MFT file?
Did you use cmd, or PowerShell, to run that command? I do not remember to be honest. But the program echoed the command correctly. Does that command work on your system?
How would you go about locating the physical location of the MFT file?
The NTFS boot sector has pointers to $MFT and $MFTMirr (offsets 0x30 and 0x38)
i can see, but the next question is, how big is the MFT? i assume i would have to read to that offset, pull 1024 bytes, interpret it, and get the size there. its possible