{"id":14986421,"url":"https://github.com/kacos2000/mft_record_viewer","last_synced_at":"2025-04-11T20:32:47.064Z","repository":{"id":45863786,"uuid":"321977778","full_name":"kacos2000/MFT_Record_Viewer","owner":"kacos2000","description":"$MFT Record Viewer","archived":false,"fork":false,"pushed_at":"2022-11-09T13:31:57.000Z","size":5546,"stargazers_count":21,"open_issues_count":0,"forks_count":5,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-03-25T18:22:04.242Z","etag":null,"topics":["mft","powershell","viewer","windows","windows-forms","windows10","winforms-application","x64"],"latest_commit_sha":null,"homepage":"https://kacos2000.github.io/MFT_Record_Viewer","language":"PowerShell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/kacos2000.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null},"funding":{"github":"kacos2000"}},"created_at":"2020-12-16T12:37:27.000Z","updated_at":"2024-10-19T19:13:41.000Z","dependencies_parsed_at":"2023-01-22T10:15:32.151Z","dependency_job_id":null,"html_url":"https://github.com/kacos2000/MFT_Record_Viewer","commit_stats":null,"previous_names":[],"tags_count":16,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kacos2000%2FMFT_Record_Viewer","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kacos2000%2FMFT_Record_Viewer/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kacos2000%2FMFT_Record_Viewer/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kacos2000%2FMFT_Record_Viewer/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/kacos2000","download_url":"https://codeload.github.com/kacos2000/MFT_Record_Viewer/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248476616,"owners_count":21110325,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["mft","powershell","viewer","windows","windows-forms","windows10","winforms-application","x64"],"created_at":"2024-09-24T14:12:50.821Z","updated_at":"2025-04-11T20:32:46.424Z","avatar_url":"https://github.com/kacos2000.png","language":"PowerShell","funding_links":["https://github.com/sponsors/kacos2000"],"categories":[],"sub_categories":[],"readme":"# [MFT_Record_Viewer](https://github.com/kacos2000/MFT_Record_Viewer/releases/latest)\n\n**\u003e\u003e\u003e NOT supported - Check [MFTbrowser](https://github.com/kacos2000/MFT_Browser#readme) instead \u003c\u003c\u003c**\n\n*Designed to view the details of few sets of $MFT FILE records, basically as a research project \u0026 for tool verification.\nTry not to load more than a few hundred records at a time inorder for the app to work properly.*\n\n![gui](https://raw.githubusercontent.com/kacos2000/MFT_Record_Viewer/master/i/MFTviewer.jpg)\n\n### A few Observations\n\n$MFT is pretty well documented, but some bits and pieces are missing. Like:\nThe FILE record 2 byte 'allocation status' flags at offset 0x16 (22) are 4:\n\n  *  0x0001 = MFT_RECORD_IN_USE \n  *  0x0002 = MFT_RECORD_IS_DIRECTORY \n  *  0x0004 = MFT_RECORD_IN_EXTEND (i.e. in the $Extend directory) \n  *  0x0008 = MFT_RECORD_IS_VIEW_INDEX *(not set if file is index $I30)*\n  \n  And as noted in [here](https://opensource.apple.com/source/ntfs/ntfs-52/kext/ntfs_layout.h),\n  ```C++\n  /* \n   * The flag FILE_ATTR_DUP_FILENAME_INDEX_PRESENT is present in all \n   * FILENAME_ATTR attributes but not in the STANDARD_INFORMATION \n   * attribute of an mft record. \n   */ \nFILE_ATTR_DUP_FILE_NAME_INDEX_PRESENT  = cpu_to_le32(0x10000000), \n  /* Note, this is a copy of the corresponding bit from the mft record, \n     telling us whether this is a directory or not, i.e., whether it has \n     an index root attribute or not. */ \n  FILE_ATTR_DUP_VIEW_INDEX_PRESENT  = cpu_to_le32(0x20000000), \n  /* Note, this is a copy of the corresponding bit from the mft record, \n     telling us whether this file has a view index present (eg. object id \n     index, quota index, one of the security indexes or the encrypting \n     filesystem related indexes). */ \n```\n     \nmeaning that when bit nr:\u003cbr\u003e \n   1. is set to 1, the record is in-use.\n   2. is set to 1, the record has an  $Index_Root attribute, thus making it a Directory. When this bit is set, the related $Filename Attribute flag is set to 'Directory' *(see below)*\n   3. is set to 1, the FILE's location is in the $Extend directory\n   4. is set to 1, the record has a View_Index *(eg. object id, index, quota index, one of the security indexes or the encrypting filesystem related indexes)*, excluding $I30. When this bit is set, the related $Filename Attribute flag is set to 'Index_view' *(see below)*\n     \nFurther down the FILE record we get to the attributes, which are:\n\n  * \"0x00000000 - Unused\"\n  * \"0x10000000 - $Standard_Information\"\n  * \"0x20000000 - $Attribute_List\"\n  * \"0x30000000 - $File_Name\"\n  * \"0x40000000 - $Object_ID\"\n  * \"0x50000000 - $Security_Descriptor\"\n  * \"0x60000000 - $Volume_Name\"\n  * \"0x70000000 - $Volume_Information\"\n  * \"0x80000000 - $Data\"\n  * \"0x90000000 - $Index_Root\"\n  * \"0xA0000000 - $Index_Allocation\"\n  * \"0xB0000000 - $Bitmap\"\n  * \"0xC0000000 - $Reparse_Point\"\n  * \"0xD0000000 - $EA_Information\"\n  * \"0xE0000000 - $EA\"\n  * \"0x00010000 - $Logged_Utility_Stream\"\n\nThe common Attribute header has a one byte flag at offset 0x16 (22) from the start of each attribute. This is the 'Indexed' flag, and is referenced [here](https://opensource.apple.com/source/ntfs/ntfs-52/kext/ntfs_layout.h) *(line 696)*:\n\n  ```C++\n   {\n    RESIDENT_ATTR_IS_INDEXED = 0x01, /* Attribute is referenced in an index\n                (has implications for deleting and\n                modifying the attribute). */\n                }\n```\nwhich  I've seen ‘set to 1’ only in $File_Name attributes, so I presume it is linked to $I30.\n\nAccording to [Microsoft](https://docs.microsoft.com/en-us/windows/win32/fileio/file-attribute-constants) the FILE record Attribute Flags *(constants)* are:\n\n  Hex|Binary|Description\n  ----------|---------------------------------------|------------------\n  0x00000001|0000-0000-0000-0000-0000-0000-0000-0001|ReadOnly\n  0x00000002|0000-0000-0000-0000-0000-0000-0000-0010|Hidden\n  0x00000004|0000-0000-0000-0000-0000-0000-0000-0100|System\n  0x00000010|0000-0000-0000-0000-0000-0000-0001-0000|Directory\n  0x00000020|0000-0000-0000-0000-0000-0000-0010-0000|Archive\n  0x00000040|0000-0000-0000-0000-0000-0000-0100-0000|Device\n  0x00000080|0000-0000-0000-0000-0000-0000-1000-0000|Normal\n  0x00000100|0000-0000-0000-0000-0000-0001-0000-0000|Temporary\n  0x00000200|0000-0000-0000-0000-0000-0010-0000-0000|Sparse_File\n  0x00000400|0000-0000-0000-0000-0000-0100-0000-0000|Reparse_Point\n  0x00000800|0000-0000-0000-0000-0000-1000-0000-0000|Compressed\n  0x00001000|0000-0000-0000-0000-0001-0000-0000-0000|Offline\n  0x00002000|0000-0000-0000-0000-0010-0000-0000-0000|Not_Content_Indexed\n  0x00004000|0000-0000-0000-0000-0100-0000-0000-0000|Encrypted\n  0x00008000|0000-0000-0000-0000-1000-0000-0000-0000|Integrity Stream\n  0x00010000|0000-0000-0000-0001-0000-0000-0000-0000|Virtual\n  0x00020000|0000-0000-0000-0010-0000-0000-0000-0000|No_Scrub_Data\n  0x00040000|0000-0000-0000-0100-0000-0000-0000-0000|Recall_On_Open\n  0x00400000|0000-0000-0100-0000-0000-0000-0000-0000|Recall_On_DataAccess\n\n\nNote: *There is also an undocumented Flag: [0x80000000](https://twitter.com/port139/status/1011932508651282432) which appears in $Standard_Information (usually in the $Txf folder) which I suspect is related to Transaction support ([Windows Internals - Chapter 12, Transaction Support](https://repo.zenk-security.com/Linux%20et%20systemes%20d.exploitations/Windows%20Internals%20Part%202_6th%20Edition.pdf))* \n\nThe $File_Name Attribute \u0026 $Index_Root flags are the same as in $Standard_Information *(above list)*, but with a couple of exceptions. As noted above, there are two extra flags which 'copy' the respective flags of the record header. When one is set in the header, the same is set in the $File_Name attribute. These flags are:\n\n  Hex|Binary|Description\n  ----------|---------------------------------------|------------------\n  0x10000000|0001-0000-0000-0000-0000-0000-0000-0000|Directory\n  0x20000000|0010-0000-0000-0000-0000-0000-0000-0000|Index_view\n\nand I pressume that the 0x00000010 'Directory' bit is not beeing used in the $File_Name attribute. \n\n  **[Reparse points and extended attributes are mutually exclusive](https://docs.microsoft.com/en-us/windows/win32/fileio/reparse-points?redirectedfrom=MSDN)**\n  - When the $File_Name attribute flag “Reparse Point” (0x00000400) is set to 1, offset 0x3C (60) from the start of the $File_Name attribute shows the [Tag](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c8e77b37-3909-4fe6-a4ea-2b9d423b1ee4) value (type of Reparse point) of the $Reparse_Point attribute in the record *(value should match 0ffset 0x00 for 4 bytes from the start of the $Reparse_Point attribute resident content)*.\n\n     *(\"[Reparse point tag](https://docs.microsoft.com/en-us/windows/win32/fileio/reparse-points):  A unique identifier for a file system filter driver stored within a file's optional reparse point data that indicates the file system filter driver that performs additional filter-defined processing on a file during I/O operations.\")*\n\n  - When the $File_Name attribute flag \"Reparse Point” (0x400) is set to 0, flag \"Recall_On_Open\" (0x00040000) is set to 1, and there is no '$Reparse_point' attribute in the record, but there is an $EA present, offset 0x3C (60) from the start of the $File_Name attribute shows the 32bit size of the buffer needed for the $EA attribute.\n\n### $Index_Root attribute:\nThe correct *(and basically undocumented)* index entry flags are:\n ```\n             \"00\" = Child node\n             \"01\" = Child node in $Index_Allocation\n             \"02\" = Last Entry\"\n             \"03\" = Last Entry, Child node in $Index_Allocation\n```\nFilename index entries fields:\n```\n       0x10 \t6 \tMFT File Record \n       0x16 \t2 \tMFT File Record Sequence Nr\n       0x18 \t8 \tFile creation time\n       0x20 \t8 \tLast modification time\n       0x28 \t8 \tLast modification time for FILE record\n       0x30 \t8 \tLast access time\n       0x38 \t8 \tAllocated size of file\n       0x40 \t8 \tReal size of file\n       0x48 \t8 \tFile Flags\n       0x50 \t1 \tLength of filename (F)\n       0x51 \t1 \tFilename namespace\n       0x52 \t2F \tFilename'\n```\n._\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkacos2000%2Fmft_record_viewer","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkacos2000%2Fmft_record_viewer","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkacos2000%2Fmft_record_viewer/lists"}