{"id":16451580,"url":"https://github.com/t9t/gomft","last_synced_at":"2025-03-16T17:36:57.289Z","repository":{"id":57530159,"uuid":"239780293","full_name":"t9t/gomft","owner":"t9t","description":"NTFS Master File Table (MFT) parser for Go.","archived":false,"fork":false,"pushed_at":"2024-08-21T19:04:58.000Z","size":66,"stargazers_count":36,"open_issues_count":4,"forks_count":11,"subscribers_count":5,"default_branch":"master","last_synced_at":"2024-08-21T21:28:57.049Z","etag":null,"topics":["go","go-library","golang","golang-library","mft","ntfs"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/t9t.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2020-02-11T14:21:28.000Z","updated_at":"2024-08-21T19:05:01.000Z","dependencies_parsed_at":"2023-02-14T09:40:24.579Z","dependency_job_id":null,"html_url":"https://github.com/t9t/gomft","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/t9t%2Fgomft","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/t9t%2Fgomft/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/t9t%2Fgomft/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/t9t%2Fgomft/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/t9t","download_url":"https://codeload.github.com/t9t/gomft/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":219861741,"owners_count":16555987,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["go","go-library","golang","golang-library","mft","ntfs"],"created_at":"2024-10-11T10:09:18.851Z","updated_at":"2024-10-11T10:09:40.586Z","avatar_url":"https://github.com/t9t.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# gomft [![Build Status](https://travis-ci.com/t9t/gomft.svg?branch=master)](https://travis-ci.com/t9t/gomft) [![GoDoc](https://godoc.org/github.com/t9t/gomft?status.svg)](https://godoc.org/github.com/t9t/gomft)\n\ngomft is Go library to parse the Master File Table (MFT) of NFTS volumes. `mftdump` is a utility to dump the MFT of a\nmounted volume to a file.\n\nExample usage reading MFT records from a file that was previously dumped with a record size of 1KB:\n\n```go\npackage main\n\nimport (\n\t\"errors\"\n\t\"io\"\n\t\"log\"\n\t\"os\"\n\n\t\"github.com/t9t/gomft/mft\"\n)\n\nfunc main() {\n\tf, err := os.Open(os.Args[1])\n\tif err != nil {\n\t\tlog.Fatalln(\"Unable to open file\", err)\n\t}\n\tdefer f.Close()\n\n\trecordSize := 1024\n\tfor {\n\t\tbuf := make([]byte, recordSize)\n\t\t_, err := io.ReadFull(f, buf)\n\t\tif err != nil {\n\t\t\tif errors.Is(err, io.EOF) {\n\t\t\t\tbreak\n\t\t\t}\n\t\t\tlog.Fatalln(\"Unable to read record data\", err)\n\t\t}\n\n\t\trecord, err := mft.ParseRecord(buf)\n\t\tif err != nil {\n\t\t\tlog.Fatalln(\"Unable to parse MFT record\", err)\n\t\t}\n\n\t\tlog.Println(\"Read MFT record\", record.FileReference)\n\t}\n}\n```\n\nSee also: https://godoc.org/github.com/t9t/gomft/mft\n\n## Reading from a raw volume\nTo read from a raw volume, you have to be root (*nix) or Administrator (Windows). In *nix you can just use the\npartition device file name (eg. `/dev/sda1`) while in Windows you have to use an UNC path such as `\\\\.\\C:`. All the\nrest is the same as accessing a file (ie. `os.Open(...)`).\n\nNote that on Windows you can only read data in multiples of the sector size, so if the sector size is 512 bytes (which\nis most common), you can read 512, 1024, 1536, etc bytes at a time but not 768 for instance. Keep this in mind when\nusing a buffered reader, making sure the buffer size is a multiple of the sector size.\n\n## Reading the boot sector\nTo read the boot sector (also known as VBR, Volume Boot Record, or $Boot file) of a volume you can use the `bootsect`\npackage:\n\n```go\npackage main\n\nimport (\n\t\"io\"\n\t\"log\"\n\t\"os\"\n\n\t\"github.com/t9t/gomft/bootsect\"\n)\n\nfunc main() {\n\tf, err := os.Open(`\\\\.\\C:`)\n\tif err != nil {\n\t\tlog.Fatalln(\"Unable to open C:\", err)\n\t}\n\tdefer f.Close()\n\n\tbuf := make([]byte, 512)\n\t_, err = io.ReadFull(f, buf)\n\tif err != nil {\n\t\tlog.Fatalln(\"Unable to read bootsector data\", err)\n\t}\n\n\tbootSector, err := bootsect.Parse(buf)\n\tif err != nil {\n\t\tlog.Fatalln(\"Unable to parse boot sector\")\n\t}\n\n\tlog.Printf(\"Boot sector of C:\\\\:\\n%+v\\n\", bootSector)\n}\n```\n\nSee: https://godoc.org/github.com/t9t/gomft/bootsect\n\n## Additional utilities\n\n### Fragment reader\nUse the `fragment` package to read fragmented data, for example as obtained from DataRuns in MFT records. Use\n[`mft.DataRunsToFragments()`](https://godoc.org/github.com/t9t/gomft/mft#DataRunsToFragments) to translate DataRuns\ninto fragments.\n\nSee: https://godoc.org/github.com/t9t/gomft/fragment\n\n### bintuil \u0026 BinReader\nThe `binutil` package contains some functions to help using binary data, primarily `binutil.Duplicate()` to duplicate\na slice of bytes and `BinReader` to interpret binary data according to a certain byte order (little/big endian).\n\nSee: https://godoc.org/github.com/t9t/gomft/binutil\n\n### utf16\nThe `utf16` package contains the `DecodeString` function to decode a byte slice to a string using a certain byte order.\n\nSee: https://godoc.org/github.com/t9t/gomft/utf16\n\n## Disclaimer\nThis package is far from complete and the implementation scrambled together from various bits of (often conflicting)\ninformation strewn about the internet.\n\n**Use at your own risk!** Accessing your raw volumes could damage your data beyond repair if you are not careful! It's\nprobably best to dump your MFT to a file and experiment with that rather than reading your raw volumes directly.\n\n# mftdump\nThe mftdump utility can be used to dump the MFT of a raw volume to a file. Download it in [the releases section](https://github.com/t9t/gomft/releases).\n\nUsage:\n\n```\nusage: mftdump [flags] \u003cvolume\u003e \u003coutput file\u003e\n\nDump the MFT of a volume to a file. The volume should be NTFS formatted.\n\nFlags:\n  -f    force; overwrite the output file if it already exists\n  -p    progress; show progress during dumping\n  -v    verbose; print details about what's going on\n\nFor example: mftdump -v -f /dev/sdb1 ~/sdb1.mft\n```\n\nOn Windows, use it like this: `mftdump.exe -v -f C: D:\\c.mft`\n\n# References\nIn no particular order, these pages and programs have helped me build gomft.\n\n- https://en.wikipedia.org/wiki/NTFS#Master_File_Table\n- http://www.kcall.co.uk/ntfs/index.html\n- https://web.archive.org/web/20210922203602/https://flatcap.org/linux-ntfs/ntfs/index.html\n- https://web.archive.org/web/20200220141834/https://www.cse.scu.edu/~tschwarz/coen252_07Fall/Lectures/NTFS.html\n- https://www.autoitscript.com/forum/topic/94269-mft-access-reading-parsing-the-master-file-table-on-ntfs-filesystems/\n- https://www.andreafortuna.org/2017/07/18/how-to-extract-data-and-timeline-from-master-file-table-on-ntfs-filesystem/\n- http://ftp.kolibrios.org/users/Asper/docs/NTFS/ntfsdoc.html\n- https://docs.microsoft.com/en-us/windows/win32/fileio/master-file-table\n- https://flylib.com/books/en/2.48.1/ntfs_concepts.html\n- \"A Journey into NTFS\"\n    - Part 1: https://medium.com/@bromiley/a-journey-into-ntfs-part-1-e2ac6a6367ec\n    - Part 2: https://medium.com/@bromiley/ntfs-series-2b3b91faaf21\n    - Part 3: https://medium.com/@bromiley/a-journey-into-ntfs-part-3-5e197a0cab58\n    - Part 4: https://medium.com/@bromiley/a-journey-into-ntfs-part-4-f2865c39ac83\n    - Part 5: https://medium.com/@bromiley/ntfs-part-5-13e20588af59\n    - Part 6: https://medium.com/@bromiley/ntfs-part-6-43a50fad89f3\n    - Part 7: https://medium.com/@bromiley/ntfs-part-7-an-ntfs-story-caf42565855b\n- https://github.com/dkovar/analyzeMFT\n- https://github.com/jschicht/Mft2Csv\n- https://github.com/libyal/libfsntfs/blob/master/documentation/New%20Technologies%20File%20System%20(NTFS).asciidoc\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ft9t%2Fgomft","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ft9t%2Fgomft","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ft9t%2Fgomft/lists"}