For experimental purposes, I use Google Translate to convert Blog to English.Unfortunately, I do not know whether it was translated into an appropriate English expression.
Please let me know if there is a more appropriate expression.
There are many tools to parse $MFT, but the processing result of $ATTRIBUTE_LIST varies depending on the tool.
I would like to confirm about $ATTRIBUTE_LIST.
Create a test file in the sample VHD disk.
Use the fsutil command to create several hard links.By executing the following command, the attribute will not fit all in one FILE record.
In the $MFT file, reference the FILE record of Filename 00000001.txt.
You can see that there is a $ ATTRIBUTE_LIST (0x20) attribute in the FILE record.
In the example below, this attribute is Resident.
When you refer to the same file with Autopsy, it becomes as follows.
The MFT record number of Filename 00000001.txt is 39. In addition, you can check that this file is using record number 40 as well.
(Type 48 (0x30) is the $FILE_NAME attribute.)
Reference record number 40 in the $ MFT file.
"File reference to the base FILE record" indicates 39 (0x27).
When parsing this $MFT file with fte tool, it becomes as follows.
The $FILE_NAME attribute stored in record number 40 is also displayed.
The result of parsing the same $MFT file with MFTECmd is as follows.
Both tools display seven sample files.
However, when parsing the $MFT file, depending on the tool, all file names are not displayed due to $ATTRIBUTE_LIST.
There are several tools affected by $ATTRIBUTE_LIST. One example is Plaso MFT parser.
I will try parsing $MFT using the MFT parser of plaso-20180630.
Artifacts filter is available in Plaso-20180630. I'm not familiar with it yet, but it's a very interesting feature.
c:\case\plaso-20180630-amd64>log2timeline.exe --parsers mft --artifact_filters NTFSMFTFiles c:\case\mft.plaso c:\case\Atrribute1.vhd
Use the psort command to output the timeline in l2tcsv format.
You can find file names 2 and 7, but you can not find file names 1, 3, 4, 5, and 6.
Sample VHD file.
By the way, I did not know that the fsutil command has a layout option.
it seems that it doesn't mean anything pic.twitter.com/Nxg05FXzaL— Costas K (@sv2hui) June 28, 2018
The Layout option seems to be available from Win 10 ver 1803.