29 Jan 2015

MFTF.

The name now is mftf.exe. I'm not using any more the FSCTL_ENUM_USN_DATA method. Now I only parse the $MFT file.
Some changes to the program and some bugs fixed.
https://github.com/ignacioj/mftf
The options now are:
Options:
    -d drive_letter............................Search/copy files from this logical unit.
    -h........................................This help.
    -f "string1[|string2 with spaces|string3?...]".....Find file/directory/ADS names with any of the strings.
    -f "d:\folder\string"                         .....The path will limit the results to the subfolders.
                The match is always case insensitive.
                " as delimiters for the whole group of strings.
                | is the boundary between strings.
                ? al the end of the string specifies an exact coincidence.
    -ff file.txt....................The strings to search for are in file.txt.
                                    One string per line, no separator, use ? as needed.
    -fr string......................Find the string doing a raw search in the 1024 bytes of the MFT record.
                                    It will report coincidences in the unallocated space of the MFT record.
    -fads...........................Find all the ADSs in the logical unit.
    >Can be used with any of the previous find options:
        -fx..................................Save the results in a file in order to use the option -c.
        -ft..................................Show the results in timeline format.
    -i full_path_to_file/directory.......Show information about the path.
    -i record_number.....................Show information of the MFT record.
    -w record_number.....................Write on screen the 1024 bytes of the MFT record.
    -c "reference1[|reference2...]"......Copy the file/s referenced to this folder.
                                           | is the separator.
    -c list.txt..........................Copy all the files referenced in the file list.txt.
                                           Each line MUST start with: reference + [TAB].
    -cr record_number....................Copy the 1024 bytes of the MFT record to this folder.
Examples:
> MFT-fileoper.exe -d e: -f "svchost|mvui.dll|string with spaces|exact match?"
> MFT-fileoper.exe -d e -fx -f "c:\folder\temp.dll|snbclog.exe"
> MFT-fileoper.exe -d e -c "33:128-1|5623:128-4"




Etiquetas: , , , ,

1 comment:

davnads said...

I have some questions/issues/feedback about the MFTF program. Do you have a contact email or twitter handle to discuss? I am at david.nides@gmail.com if easier to drop me a note.

17/5/18 22:22

Post a Comment

Subscribe to: Post Comments (Atom)