-
Notifications
You must be signed in to change notification settings - Fork 7
/
help.txt
88 lines (73 loc) · 4.11 KB
/
help.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
mftf.exe v.3.0
Raw copy files and search using the content of the MFT.
The tool can parse the $MFT from a live system, from a mounted (read-only
included) logical drive or from a copy of the $MFT.
It can copy files or ADS,s directly or using references.
The copy is made by reading the data from the clusters so that you can copy
protected system files or files in use.
Deleted files and folders have their path with the prefix "?".
Copyright 2015 Ignacio Perez
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
Usage:
Batch mode:
mftf.exe -b batchfile.txt
One action per line, i.e.:
-cp "c:\users\pepe\ntuser.dat" -n "d:\copy\pepe_ntuser.dat"
-cp "c:\users\pepe\AppData\Local\Microsoft\Windows\UsrClass.dat" -n "d:\copy\pepe_UsrClass.dat"
Raw copy reading from the clusters:
mftf.exe -cp file_full_path -n full_path_destination
MFT parsing:
mftf.exe SOURCE ACTIONS [OPTIONS]
SOURCE:
-d drive_letter Logical unit.
-o MFT_file [-by bytesxrecord] Offline $MFT file. Default bytes per MFT record is 1024 bytes.
ACTIONS: EXTRACT DATA/INFORMATION.
-cr "ref1[|ref2..]" Copy the referenced file/ads to this folder. Use | as separator.
-wr "ref1[|ref2..]" Only for resident data: Write to console the referenced file or ADS.
-cl list.txt Copy all the files referenced in the file list.txt.
Each line MUST start with: reference + [TAB].
-cn record_number Copy the binary content of the MFT record to this folder.
-i record_number Show information of the MFT record.
-ip path_to_file Show information of the MFT record.
-w record_number Write on screen the bytes of the MFT record.
ACTIONS: SEARCH.
-f "string1|string2 with spaces/|string3<" Use | as separator. The < for an exat match.
-f "folder\string" The / for end of string match.
-f "folder\*" Use * to search any string.
-ff file.txt The strings to search for are in file.txt.
One string per line.
-fr string Raw search in the bytes of each MFT record.
-fd "\\Dir1\dir2|\\Dir1\dir3<" Search files and folders under the tree.
-r N Recursion level for fd option. Default is 0.
-fads Find all the ADS,s.
-bads "string" Display resident ADSs containing "string"
Search OPTIONS:
>Timeline mode: if no search is specified the entire MFT will be in the output. Two formats available:
-tl Format: Date Time [MACB] filename record size
-l2t Format: date,time,timezone,MACB,source,sourcetype,type,user,host,short,desc,version,filename,inode,notes,format,extra
-tf yyyy-MM-dd Filter from this date.
-tt yyyy-MM-dd to this date.
-sha1 Add the SHA1 to the output (live mode).
>No timeline mode:
-x Save the results in a file in order to use the option -cl.
-s Display only the file name.
Common OPTIONS:
-k This option will keep the session open. New queries will benefit from a higher response speed.
You can change the origin and return without time penalty.
Help:
-h This help.
Examples:
> mftf -b batchfile.txt
> mftf.exe -cp c:\$MFT -n d:\maleta\mft.bin
> mftf.exe -o mft.bin -by 4096 -f "svchost" -tl -tf "2015/10/18" -tt "2016/01/25" -k
> mftf.exe -d e -f "svchost|mvui.dll|string with spaces|exact match<" -l2t
> mftf.exe -d e -cr 4292:128-1