Skip to content

Releases: kacos2000/MFT_Browser

MFTBrowser.exe (x64)

08 Nov 18:39
@kacos2000 kacos2000
v.0.0.68.0
116c4d3
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
MFTBrowser.exe (x64)

[Updates]

  • Added Cluster size field when supported (calculated)
    -Added 2nd parsing of Attribute run-lists to assist in manual recovery of Attribute Data
    (this is for recovering the actual\logical data) eg:
    image
  • Other minor fixes & updates

MD5: EEF5D90773190F0AE91EF774DBF47141
SHA256: 31FBAEC90F1ECEE69825DB27E7D99E3C7A9D0BDF731F0058D7EFF9CA0602A47F

Assets 3
Loading

MFTBrowser.exe (x64)

30 Oct 18:15
@kacos2000 kacos2000
v.0.0.67.0
70e8a4e
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
MFTBrowser.exe (x64)

[Updates]

  • Updated/fixed error when Extracting the $MFT from a mounted volume.
    The error was created while creating the MD5 hash of $MFT files larger than 2Gb.
    Now the Hash is created while writing the Data Runs to the exported file (in chunks).

MD5: 049D10E56568D51E50669B23959A6DB1
SHA256: 5763D07DA69847DDD8532856D149EE721CD4D23E210BF4B416BF7CAC259F8A5A

Assets 3
Loading

MFTBrowser.exe (x64)

18 Feb 13:20
@kacos2000 kacos2000
v.0.0.66.0
e308a40
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
MFTBrowser.exe (x64)

[Updates]

  • New (updated) Digital Signature
  • Changes to support PowerShell 7.x (.ps script only)

MD5: 3DF45AB47D6AACA9F903E610F0C21B45
SHA256: BC2CD203EB943AD7ABDDC8158C66D18DA0734FC2F4A32EF0DE65790D94AB278E

Assets 4
Loading

MFTBrowser.exe (x64)

08 Dec 17:03
@kacos2000 kacos2000
v.0.0.63.0
0eab2a9
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
MFTBrowser.exe (x64)

[Updates]

  • Much faster $MFT extraction (writes whole extends instead of each cluster)
  • Added MD5 Hash calculation of the extracted $MFT (shown after the extraction)
  • Added option to stop processing after extracting the $MFT

MD5: 229D01E6794A1367CC05A70EAEB6215C
SHA256: 639F86073957276335E77A82B999CD6964CFEC8A1CB203C766FA20E9708FACD2

Assets 4
Loading

MFTBrowser.exe (x64)

26 Nov 23:48
@kacos2000 kacos2000
v.0.0.62.0
44e4c24
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
MFTBrowser.exe (x64)

[Updates]

  • Corrected the 'Extract $MFT' bug (when the $MFT has negative data runs ) until proven wrong :)
    Corrected the original script by @secabstraction as well .
  • A few other minor fixes

MD5: 597AC7EB75CBC39F5E833C40A0499918
SHA256: 8EF3094BB7ACE1D2E1A71148F1A27E5A0BADA5C955A7A5AA159B7EA50BF65FCA

Contributors

secabstraction
Assets 3
Loading

MFTBrowser.exe (x64)

25 Nov 23:28
@kacos2000 kacos2000
v.0.0.61.0
32fe166
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
MFTBrowser.exe (x64)

[Known-Bug]

  • The source script by @secabstraction I used to extract the $MFT from a live NTFS Volume did not account for an $MFT with negative data-runs .
    New update with a fix will be up soon.

[Updates]

  • Added auto-check GitHub for new version in 'About'
  • Updated a few error-avoidance stuff
  • Code optimizations
  • Excluded the following Alternate Data Streams from being added to the directory tree
    (can cut processing time by quite a lot in large $MFTs):
      'Zone.Identifier',
      '$Corrupt', 
      '$Config', 
      '$I30',
      '$T', 
      '$O', 
      '$Q', 
      'SII', 
      '$SDH', 
      '$SDS', 
      '$SRAT', 
      '$Bad', 
      '$Verify',
      'WofCompressedData',
      '$TX', 
      '$TXF_DATA',
      '$TXF_DAA', 
      '$DSC', 
      '$EFS', 
      'Win32App_1', 
      'dropbox.attrs', 
      'dropbox.attributes',
      'com.dropbox.attrs',
      'com.dropbox.attributes',
      'OECustomProperty', 
      'encryptable'

MD5: F810F6F7177DFBC6BAAD656E956DF382
SHA256: 2266750B0C54296A20553428C995B77296BAD7C8F6C43CCF0480478963D9FEAB

Contributors

secabstraction
Assets 3
Loading

MFTBrowser.exe (x64)

21 Nov 22:25
@kacos2000 kacos2000
v.0.0.60.0
876325c
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
MFTBrowser.exe (x64)

[Updates]

  • Added option to read a RAW image, carve valid FILE records & create a Directory tree
    (Works best if there is/was only one NTFS partition in the image)
    (Works with $MFT files as well)
  • Search by File Id: can now convert Record/Sequence numbers to File record Id
    (or File reference number as fsutil calls it):
  • Improved handling of corrupt records
  • Supports both 1024 and 4096 byte record size (detection on file load)
  • Code optimizations

MD5: 397D604F1AC13F410C9237DFCABE39B7
SHA256: D5305AB6291FB825B181CE22DB42FB06B08161E77873C11A73D2E1AE62D1E0C5

Assets 3
Loading

MFTBrowser.exe (x64)

20 Nov 20:05
@kacos2000 kacos2000
v.0.0.56.0
876325c
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
MFTBrowser.exe (x64) Pre-release
Pre-release

[Updates]

  • search by File Id: can now convert Record/Sequence numbers to File Id
    (or File reference number as fsutil calls it):

    image

MD5: B82750E1531218A75BDF3C87AF4FCC93
SHA256: 78A1B81C400728C252139A73314BEAFC4082E3857305CCB2431E46813DABF114

Assets 3
Loading

MFTBrowser.exe (x64)

20 Nov 00:06
@kacos2000 kacos2000
v.0.0.55.0
876325c
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
MFTBrowser.exe (x64) Pre-release
Pre-release

[Updates]

  • More accurate population of Directory tree
  • Small speed increase
  • Added option to search by File Id (MFT Sequence Nr + Record Nr e.g.: '0005000000000005' for the Root Dir)
  • Further code re-organization, optimizations & bug fixes

MD5: 42D0B460AF6B7B0D1E795FA96EB3F930
SHA256: 928F496061D245BB7FA9DF2F5D777D57A9DCDE9C2A6E244E4C0CBDE103AF997F

Assets 3
Loading

MFTBrowser.exe (x64)

07 Nov 23:22
@kacos2000 kacos2000
v.0.0.51.0
d1b9910
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
MFTBrowser.exe (x64) Pre-release
Pre-release

[Updates]

  • Correction in '[System.Linq.Enumerable]' sorting
  • Minor fixes & speed increase with extension records

PS: populating the directory tree is still under-development

MD5: 4EE781F615F9DB26FAAFE4286AA7DE2C
SHA256: 0D3512F66ACBE222993CC664C563727EC7EF26F0279BE473B8CD10B4A50C0825

Assets 3
Loading