extract the mft with icat and parse it with analyzemft
TRANSCRIPT
7/30/2019 Extract the MFT With icat and Parse it With analyzeMFT
http://slidepdf.com/reader/full/extract-the-mft-with-icat-and-parse-it-with-analyzemft 1/9
Extract the MFT With icat and Parse it
With analyzeMFT in Linux Ubuntu 12.04 Carlos Cajigas MSc, EnCE, CFCE, CDFE, A+
The master file table (MFT) is a database that contains information about all files
on an NTFS file system. Among other things, the MFT tracks times, size, name, and
location of every file including itself. It stores this information in entries, appropriately
named MFT entries. Each MFT entry gets assigned its own record number. AnalyzeMFT is Python tool designed to fully parse the MFT and present the
results in a format that allows further analysis with other tools. Extracting the MFT out
of an NTFS file system and parsing it with analyzeMFT will provide you with a wealth of
information contained in these entries. For each entry in the MFT, a record is written toan output file in CSV format.
AnalyzeMFT comes preinstalled in Linux Live DVD's like the SIFT. For the
purposes of this article, I used an examination computer with Ubuntu 12.04 installed on
it.
The goal: The plan is to extract the MFT from an NTFS file system and then parse it. To
extract the MFT we are going to use two sleuthkit tools. Finally we will parse the MFT
with a python tool.
Installing the tools: The tools that we will need are not included in Ubuntu by default. The tools that
we will need to extract the MFT are called mmls and icat. They are part of the set of
command line tools from the sleuthkit. The sleuthkit can be downloaded from theUbuntu Software Center. So let’s head over to the Ubuntu Software Center.
7/30/2019 Extract the MFT With icat and Parse it With analyzeMFT
http://slidepdf.com/reader/full/extract-the-mft-with-icat-and-parse-it-with-analyzemft 2/9
Click on the Dash Home circle, located on the top left of your screen, type in
“software” and click on the Ubuntu Software Center icon that will appear.
After the Ubuntu Software Center opens, you will see a search box on the top-right corner of your screen. Type “sleuthkit” and click on the install button. You will be
prompted for your root password. Enter your root password and wait for the program to
install.
Once the sleuthkit is installed, we also need to install the Tkinter Python module.
Tkinter is the standard Python interface to the Tk GUI toolkit. AnalyzeMFT needs this
module for its operation. Type “python” in the search box and click on the “more info”
tab.
7/30/2019 Extract the MFT With icat and Parse it With analyzeMFT
http://slidepdf.com/reader/full/extract-the-mft-with-icat-and-parse-it-with-analyzemft 3/9
Navigate down to the add-ons area and place a check mark next to the “Tkinter”
add-on. Click on “apply changes” to install.
Now that you have the tools that we need, close the Ubuntu Software Center.
The next step is to download analyzeMFT from this link
https://github.com/dkovar/analyzeMFT/downloads . Download the zip file and then
extract the files from the zip file.
Now let's prepare a working folder for our files. Go to your desktop, right click on
your desktop and select “create new folder”, name it “Test”.
Go to the location where you downloaded the analyzeMFT tool and locate the file
named “analyzeMFT.py”.
7/30/2019 Extract the MFT With icat and Parse it With analyzeMFT
http://slidepdf.com/reader/full/extract-the-mft-with-icat-and-parse-it-with-analyzemft 4/9
Copy the “analyzeMFT.py” file into the Test folder on the desktop. The
“analyzeMFT.py” file is in fact a python script.
Now find an E01 or a DD image of an NTFS file system. Find an image or make
an image of a small drive formatted as NTFS with one file in it. Copy the image into the
“Test” folder on the desktop.
The test: For the purposes of the article, I used a previously acquired E01 image of a
256MB thumb drive with one jpg file contained in the volume. I named the E01 image
“testimage.E01” and I named the jpg file “TestPicture.JPG”
Let's get started! Open a Terminal Window. In Ubuntu you can accomplish this
by pressing Ctrl-Alt-T at the same time or by going to the Dash Home and typing in
“terminal”.
7/30/2019 Extract the MFT With icat and Parse it With analyzeMFT
http://slidepdf.com/reader/full/extract-the-mft-with-icat-and-parse-it-with-analyzemft 5/9
Once the terminal window is open, navigate to the previously created Test folder
on the desktop. We will use the CD command to change directory into the desktop.
Type the following into the terminal. cd /home/carlos/Desktop/Test/
Replace “carlos” with the name of the user account you are currently logged on
as. After doing so, press enter. You should receive these results.
The dollar sign after Test indicates that “Test” is your current directory, exactly
what we wanted. Let’s see if we have the python script and the E01 image in our current directory. For that we will use the LS command, which stands for list (files).
Type “ls -l” and press enter. LS is the list files command. The flag -l uses a long listing
format.
Notice that we are in the Test directory and yes, we do have the python script
and the image in our directory.
Now we need to determine the starting sector of the NTFS volume inside of the
E01 image. To do that we will use the sleuthkit tool mmls. Mmls is a tool that can
display the partition layout of a volume system (partition tables). Mmls supports E01
images natively, so there is no need to convert the E01 to a DD. Type the following into
the terminal.
mmls testimage.E01
7/30/2019 Extract the MFT With icat and Parse it With analyzeMFT
http://slidepdf.com/reader/full/extract-the-mft-with-icat-and-parse-it-with-analyzemft 6/9
Replace “testimage.E01” with the name of your image. After doing so, press
enter. These are my results.
Notice that the NTFS volume inside of my image starts at sector 2048. We need
this information to pass it along to the next command. It is now time to extract the MFT out of the NTFS volume with icat. Icat is a tool
that can output the contents of a file based on its record number. In an NTFS file
system the MFT always has record number 0. Extract the MFT with the below
command.
icat -o 2048 testimage.E01 0 > mft.raw
Icat is the command to output the contents. The flag -o tells icat to look at sector 2048 which is the starting sector of my NTFS volume. The volume in this instance is an
NTFS file system that icat can automatically recognize. “Testimage.E01” is the image
that contains the volume. The number “0” is the record number that we want to output
the contents of, which in this instance is the MFT. The “>” is a terminal character that
can redirect standard output content to a file. In this instance, we will use that character
to redirect icat's output of record number 0, to a file appropriately named mft.raw, into
our current directory. The “raw” file extension given to the filename is irrelevant, of no
use. Press enter, and type your root password (if needed).
If you got your cursor back then that means that the command worked according
to your input and that there were no errors to display, which means that it worked.
7/30/2019 Extract the MFT With icat and Parse it With analyzeMFT
http://slidepdf.com/reader/full/extract-the-mft-with-icat-and-parse-it-with-analyzemft 7/9
Let’s see if we have the MFT in our current directory. Type “ls -l” and press
enter.
Notice that we are still in the Test directory and yes, we do have the mft.raw file
in our directory. It is now time to parse the MFT with analyzeMFT. Parse the MFT with the below
command.
python analyzeMFT.py -f mft.raw -o mftanalyzed.csv
Python is the command to run the “analyzeMFT.py” python script. The flag -f
tells analyzeMFT to read from file, which in this instance is the file named mft.raw. The
flag -o tells analyzeMFT to write to file. In this instance we are writing the results to a
file named mftanalyzed.csv into our current directory. The “csv” file extension given to
the filename is done so that the file is automatically associated with a spreadsheet
program. Press enter, and type your root password (if needed).
If you got your cursor back then that means that it worked.
7/30/2019 Extract the MFT With icat and Parse it With analyzeMFT
http://slidepdf.com/reader/full/extract-the-mft-with-icat-and-parse-it-with-analyzemft 8/9
Now open Nautilus, navigate to the mftanalyzed.csv file inside of the Test folder
and open it with LibreOffice Calc. LibreOffice Calc is Ubuntu’s default spreadsheet
viewer.
When it opens, you will be asked to select how you want LibreOffice Calc tointerpret the fields in your file. The options will be under the Separator Options area. I
chose to have the data separated by “Comma”, by adding a checkmark next to it. After
doing so I pressed “Ok”.
7/30/2019 Extract the MFT With icat and Parse it With analyzeMFT
http://slidepdf.com/reader/full/extract-the-mft-with-icat-and-parse-it-with-analyzemft 9/9
The file will then open and it will display the data that was parsed from the
mftanalyzed.csv file in order of MFT records. The file offers the following information for
each record to include: Record Number, Good - if the entry is valid, Active - if the entry
is active, Record type - the type of record, Record Sequence - the sequence number for
the record, Parent Folder Record Number, Parent Folder Sequence Number. For the
standard information attribute: Creation date, Modification date, Access date, Entry
date. For up to four file name records: File name, Creation date, Modification date,
Access date. Entry date, Object ID, Birth Volume ID, Birth Object ID, Birth Domain ID,
and more. You can also search the spreadsheet for any keywords by pressing “Cntr” and “f”
at the same time. The results will point you to the file's record number.
I conducted a search of the spreadsheet for the keyword “testpicture”. It found
one match. That match was the “TestPicture.JPG”. Notice that the “TestPicture.JPG”file is assigned MFT record 64. With this information you can tell icat to extract it or any
other file from an NTFS volume.
And there you have it!
Conclusion:
Icat was able to extract record number 0, the MFT, and then we parsed it with
the Python script analyzeMFT. These are powerful tools that can give you an edge
when you need it most.
If this procedure worked for your case, and you are able to use it in the course of
your investigation, we would like to hear from you. Please post your comments or email
the author of this article at [email protected].