extract the mft with icat and parse it with analyzemft

7/30/2019 Extract the MFT With icat and Parse it With analyzeMFT

http://slidepdf.com/reader/full/extract-the-mft-with-icat-and-parse-it-with-analyzemft 1/9

Extract the MFT With icat and Parse it

With analyzeMFT in Linux Ubuntu 12.04 Carlos Cajigas MSc, EnCE, CFCE, CDFE, A+

The master file table (MFT) is a database that contains information about all files

on an NTFS file system. Among other things, the MFT tracks times, size, name, and

location of every file including itself. It stores this information in entries, appropriately

named MFT entries. Each MFT entry gets assigned its own record number. AnalyzeMFT is Python tool designed to fully parse the MFT and present the

results in a format that allows further analysis with other tools. Extracting the MFT out

of an NTFS file system and parsing it with analyzeMFT will provide you with a wealth of

information contained in these entries. For each entry in the MFT, a record is written toan output file in CSV format.

AnalyzeMFT comes preinstalled in Linux Live DVD's like the SIFT. For the

purposes of this article, I used an examination computer with Ubuntu 12.04 installed on

it.

The goal: The plan is to extract the MFT from an NTFS file system and then parse it. To

extract the MFT we are going to use two sleuthkit tools. Finally we will parse the MFT

with a python tool.

Installing the tools: The tools that we will need are not included in Ubuntu by default. The tools that

we will need to extract the MFT are called mmls and icat. They are part of the set of

command line tools from the sleuthkit. The sleuthkit can be downloaded from theUbuntu Software Center. So let’s head over to the Ubuntu Software Center.



Click on the Dash Home circle, located on the top left of your screen, type in

“software” and click on the Ubuntu Software Center icon that will appear.

After the Ubuntu Software Center opens, you will see a search box on the top-right corner of your screen. Type “sleuthkit” and click on the install button. You will be

prompted for your root password. Enter your root password and wait for the program to

install.

Once the sleuthkit is installed, we also need to install the Tkinter Python module.

Tkinter is the standard Python interface to the Tk GUI toolkit. AnalyzeMFT needs this

module for its operation. Type “python” in the search box and click on the “more info”

tab.



Navigate down to the add-ons area and place a check mark next to the “Tkinter”

add-on. Click on “apply changes” to install.

Now that you have the tools that we need, close the Ubuntu Software Center.

The next step is to download analyzeMFT from this link

https://github.com/dkovar/analyzeMFT/downloads . Download the zip file and then

extract the files from the zip file.

Now let's prepare a working folder for our files. Go to your desktop, right click on

your desktop and select “create new folder”, name it “Test”.

Go to the location where you downloaded the analyzeMFT tool and locate the file

named “analyzeMFT.py”.

https://github.com/dkovar/analyzeMFT/downloads





Copy the “analyzeMFT.py” file into the Test folder on the desktop. The

“analyzeMFT.py” file is in fact a python script.

Now find an E01 or a DD image of an NTFS file system. Find an image or make

an image of a small drive formatted as NTFS with one file in it. Copy the image into the

“Test” folder on the desktop.

The test: For the purposes of the article, I used a previously acquired E01 image of a

256MB thumb drive with one jpg file contained in the volume. I named the E01 image

“testimage.E01” and I named the jpg file “TestPicture.JPG”

Let's get started! Open a Terminal Window. In Ubuntu you can accomplish this

by pressing Ctrl-Alt-T at the same time or by going to the Dash Home and typing in

“terminal”.



Once the terminal window is open, navigate to the previously created Test folder

on the desktop. We will use the CD command to change directory into the desktop.

Type the following into the terminal. cd /home/carlos/Desktop/Test/

Replace “carlos” with the name of the user account you are currently logged on

as. After doing so, press enter. You should receive these results.

The dollar sign after Test indicates that “Test” is your current directory, exactly

what we wanted. Let’s see if we have the python script and the E01 image in our current directory. For that we will use the LS command, which stands for list (files).

Type “ls -l” and press enter. LS is the list files command. The flag -l uses a long listing

format.

Notice that we are in the Test directory and yes, we do have the python script

and the image in our directory.

Now we need to determine the starting sector of the NTFS volume inside of the

E01 image. To do that we will use the sleuthkit tool mmls. Mmls is a tool that can

display the partition layout of a volume system (partition tables). Mmls supports E01

images natively, so there is no need to convert the E01 to a DD. Type the following into

the terminal.

mmls testimage.E01



Replace “testimage.E01” with the name of your image. After doing so, press

enter. These are my results.

Notice that the NTFS volume inside of my image starts at sector 2048. We need

this information to pass it along to the next command. It is now time to extract the MFT out of the NTFS volume with icat. Icat is a tool

that can output the contents of a file based on its record number. In an NTFS file

system the MFT always has record number 0. Extract the MFT with the below

command.

icat -o 2048 testimage.E01 0 > mft.raw

Icat is the command to output the contents. The flag -o tells icat to look at sector 2048 which is the starting sector of my NTFS volume. The volume in this instance is an

NTFS file system that icat can automatically recognize. “Testimage.E01” is the image

that contains the volume. The number “0” is the record number that we want to output

the contents of, which in this instance is the MFT. The “>” is a terminal character that

can redirect standard output content to a file. In this instance, we will use that character

to redirect icat's output of record number 0, to a file appropriately named mft.raw, into

our current directory. The “raw” file extension given to the filename is irrelevant, of no

use. Press enter, and type your root password (if needed).

If you got your cursor back then that means that the command worked according

to your input and that there were no errors to display, which means that it worked.



Let’s see if we have the MFT in our current directory. Type “ls -l” and press

enter.

Notice that we are still in the Test directory and yes, we do have the mft.raw file

in our directory. It is now time to parse the MFT with analyzeMFT. Parse the MFT with the below

command.

python analyzeMFT.py -f mft.raw -o mftanalyzed.csv

Python is the command to run the “analyzeMFT.py” python script. The flag -f

tells analyzeMFT to read from file, which in this instance is the file named mft.raw. The

flag -o tells analyzeMFT to write to file. In this instance we are writing the results to a

file named mftanalyzed.csv into our current directory. The “csv” file extension given to

the filename is done so that the file is automatically associated with a spreadsheet

program. Press enter, and type your root password (if needed).

If you got your cursor back then that means that it worked.



Now open Nautilus, navigate to the mftanalyzed.csv file inside of the Test folder

and open it with LibreOffice Calc. LibreOffice Calc is Ubuntu’s default spreadsheet

viewer.

When it opens, you will be asked to select how you want LibreOffice Calc tointerpret the fields in your file. The options will be under the Separator Options area. I

chose to have the data separated by “Comma”, by adding a checkmark next to it. After

doing so I pressed “Ok”.



The file will then open and it will display the data that was parsed from the

mftanalyzed.csv file in order of MFT records. The file offers the following information for

each record to include: Record Number, Good - if the entry is valid, Active - if the entry

is active, Record type - the type of record, Record Sequence - the sequence number for

the record, Parent Folder Record Number, Parent Folder Sequence Number. For the

standard information attribute: Creation date, Modification date, Access date, Entry

date. For up to four file name records: File name, Creation date, Modification date,

Access date. Entry date, Object ID, Birth Volume ID, Birth Object ID, Birth Domain ID,

and more. You can also search the spreadsheet for any keywords by pressing “Cntr” and “f”

at the same time. The results will point you to the file's record number.

I conducted a search of the spreadsheet for the keyword “testpicture”. It found

one match. That match was the “TestPicture.JPG”. Notice that the “TestPicture.JPG”file is assigned MFT record 64. With this information you can tell icat to extract it or any

other file from an NTFS volume.

And there you have it!

Conclusion:

Icat was able to extract record number 0, the MFT, and then we parsed it with

the Python script analyzeMFT. These are powerful tools that can give you an edge

when you need it most.

If this procedure worked for your case, and you are able to use it in the course of

your investigation, we would like to hear from you. Please post your comments or email

the author of this article at [email protected].

extract the mft with icat and parse it with analyzemft

Documents