Skip to content

MFTBrowser.exe (x64)

Pre-release
Pre-release
Compare
Choose a tag to compare
@kacos2000 kacos2000 released this 08 Oct 12:51
· 53 commits to master since this release
v.0.0.32.0
080740e
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

[Updates]

  • Improved Hex view loading time !
  • Some other tweaks
  • Resident $Data decoding of lnk files (mostly found in 4k records)
  • Added support for resident $Index_Root content of $ObjId, $Quota and $Reparse. E.g.:

$ObjId:$O
Index key is a GUID

Index Entry Nr: 1
[0x150] Index Entry Offset to Data: 32
[0x152] Index Entry Data Size: 56
[0x158] Index Entry Length: 88
[0x15A] Index Entry Key Size: 16
[0x15C] Index Entry Flag [0x00]: Child node
[0x160] Index Entry Key: 42A09F1C-3358-4A6F-9026-57D1424DE798
    GUID Version: 4
    GUID Variant: 2
    GUID Sequence: 4134
[-----] Reference MFT record ID: 0003000000000003
[0x170] Reference MFT record Nr: 3
[0x176] Reference MFT Sequence Nr: 3

Index Entry Nr: 2
[0x1A8] Index Entry Offset to Data: 32
[0x1AA] Index Entry Data Size: 56
[0x1B0] Index Entry Length: 88
[0x1B2] Index Entry Key Size: 16
[0x1B4] Index Entry Flag [0x00]: Child node
[0x1B8] Index Entry Key: BC4BBA0E-277F-11EC-800F-00155D380176
    GUID Version: 1
    GUID Variant: 2
    GUID Sequence: 15
    GUID created at: 07/10/2021 15:03:31.5052046
    MAC Address: 00:15:5D:38:01:76
[-----] Reference MFT record ID: 0002000000000028
[0x1C8] Reference MFT record Nr: 40
[0x1CE] Reference MFT Sequence Nr: 2

$Quota:$O
Index key is Security ID (sid)

Index Entry Nr: 1
[0x150] Index Entry Offset to Data: 32
[0x152] Index Entry Data Size: 4
[0x158] Index Entry Length: 40
[0x15A] Index Entry Key Size: 16
[0x15C] Index Entry Flag [0x00]: Child node
[0x160] Index Entry Key: S-1-5-32-544
[0x170] Owner ID: 256
[0x170] Index Entry Content

$Quota:$Q
Index key is Owner ID

Index Entry Nr: 1
[0x1C8] Index Entry Offset to Data: 20
[0x1CA] Index Entry Data Size: 48
[0x1D0] Index Entry Length: 72
[0x1D2] Index Entry Key Size: 4
[0x1D4] Index Entry Flag [0x00]: Child node
[0x1D8] Index Entry Key: 1
[0x1DC] Quota Version: 2
[0x1E0] Quota Flag: Default Limits
[0x1E4] Quota Bytes Used: 0
[0x1EC] Quota Changed Time: 07/10/2021 14:44:32.5994800
[0x204] Quota Hard Limit: 0
Index Entry Nr: 2
[0x210] Index Entry Offset to Data: 20
[0x212] Index Entry Data Size: 64
[0x218] Index Entry Length: 88
[0x21A] Index Entry Key Size: 4
[0x21C] Index Entry Flag [0x00]: Child node
[0x220] Index Entry Key: 256
[0x224] Quota Version: 2
[0x228] Quota Flag: Default Limits
[0x22C] Quota Bytes Used: 0
[0x234] Quota Changed Time: 07/10/2021 14:44:32.5994800
[0x24C] Quota Hard Limit: 0
[0x224] Index Entry Content

$Reparse:$R
Index key is Reparse Tag & $MFT reference nr.

Index Entry Nr: 1
[0x158] Index Entry Offset to Data: 28
[0x15A] Index Entry Data Size: 0
[0x160] Index Entry Length: 40
[0x162] Index Entry Key Size: 12
[0x164] Index Entry Flag [0x01]: Child node in $Index_Allocation
[0x168] Index Entry Key: IO_REPARSE_TAG_CLOUD_4
[0x168] Reparse Tag: 9000401A
[-----] Reference MFT record ID: 000200000000006F
[0x16C] Reference MFT record Nr: 111
[0x172] Reference MFT Sequence Nr: 2

Index Entry Nr: 2
[0x180] Index Entry Offset to Data: 28
[0x182] Index Entry Data Size: 0
[0x188] Index Entry Length: 40
[0x18A] Index Entry Key Size: 12
[0x18C] Index Entry Flag [0x01]: Child node in $Index_Allocation
[0x190] Index Entry Key: IO_REPARSE_TAG_CLOUD_4
[0x190] Reparse Tag: 9000401A
[-----] Reference MFT record ID: 00020000000000AE
[0x194] Reference MFT record Nr: 174
[0x19A] Reference MFT Sequence Nr: 2
Assets 5
Loading