Re: [sleuthkit-users] Parsing RAW MFT
Brought to you by:
carrier
From: Brian C. <ca...@sl...> - 2013-07-23 15:04:07
|
ntfs_dinode_copy() is the method that takes in the raw buffer and turns it into TSK_FS_* structures. As Simson pointed out, this is currently static and only available from within ntfs.c. You could make it non-static and see if it works for your use. We can certainly make it non-static if people find it useful. The biggest potential problems though are that it is going to want to do a lot more stuff than simply parse it. It is going to follow attribute lists to identify all of the attributes of a given file that could not fit in the base entry. So, it is going to want a disk image that it can then use the MFT to find those other entries. I suppose we could add a flag that made it more simple though. On Jul 23, 2013, at 8:29 AM, Simson Garfinkel <si...@ac...> wrote: > bulk_extractor has a MFT parser in it that will parse MFT directory entries. You can just point it at the 1024 byte chunk (or extract the chunk into a file). The fields are broken out and stored as XML in the feature file. > > > > On Jul 23, 2013, at 8:22 AM, "Spensky, Chad - 0559 - MITLL" <cha...@ll...> wrote: > >> Is there a straightforward way to parse a raw 1024 byte chunk of data >> known to be an MFT entry using sleuth kit? I'd like to have the same >> abstraction and TSK_FS_FILE struct so that I can use the same code to deal >> with this special case as one would with an entire file system. Any help >> would be much appreciated. I've been looking through ntfs.c and can't >> seem to pin down a self contained function that will do what I am asking, >> but I could just be missing it. >> >> - Chad >> >> >> >> ------------------------------------------------------------------------------ >> See everything from the browser to the database with AppDynamics >> Get end-to-end visibility with application monitoring from AppDynamics >> Isolate bottlenecks and diagnose root cause in seconds. >> Start your free trial of AppDynamics Pro today! >> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk_______________________________________________ >> sleuthkit-users mailing list >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >> http://www.sleuthkit.org > > > ------------------------------------------------------------------------------ > See everything from the browser to the database with AppDynamics > Get end-to-end visibility with application monitoring from AppDynamics > Isolate bottlenecks and diagnose root cause in seconds. > Start your free trial of AppDynamics Pro today! > http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org |