- Notifications
You must be signed in to change notification settings - Fork107
Open
Assignees
Description
shell disk=1 volume=3
disk1:volume3:> ls
Inode | Type | Name | Size | Creation Date | Attributes--------------------------------------------------------------------------------------------- 4 | | $AttrDef | 2560 | 2021-02-18 05:45:18 | Hi Sy 8 | | $BadClus | 0 | 2021-02-18 05:45:18 | Hi Sy | ADS | $Bad | 510905020416 | | 6 | | $Bitmap | 15591584 | 2021-02-18 05:45:18 | Hi Sy | ADS | $SRAT | 68 | | 7 | | $Boot | 8192 | 2021-02-18 05:45:18 | Hi Sy 11 | DIR | $Extend | | 2021-02-18 05:45:18 | Hi Sy 2 | | $LogFile | 67108864 | 2021-02-18 05:45:18 | Hi Sy 0 | | $MFT | 2073034752 | 2021-02-18 05:45:18 | Hi Sy 1 | | $MFTMirr | 4096 | 2021-02-18 05:45:18 | Hi Sy 4502 | DIR | $Recycle.Bin | | 2019-12-07 10:14:52 | Hi Sy 9 | | $Secure | 0 | 2021-02-18 05:45:18 | Hi Sy 10 | | $UpCase | 131072 | 2021-02-18 05:45:18 | Hi Sy | ADS | $Info | 32 | | 3 | | $Volume | 0 | 2021-02-18 05:45:18 | Hi Sy 154204 | DIR | $WINDOWS.~BT | | 2021-11-02 22:52:59 | 50617 | DIR | $Windows.~WS | | 2022-02-06 19:18:00 | Hi Ni 156 | DIR | $WinREAgent | | 2023-01-10 22:38:03 | Himft.record disk=1 volume=3
MFT (inode:0) for \\.\PhysicalDrive1 > Volume:3-----------------------------------------------Signature : FILEUpdate Offset : 48Update Number : 3$LogFile LSN : 305819962804Sequence Number : 1Hardlink Count : 1Attribute Offset : 56Flags : In useReal Size : 888Allocated Size : 1024Base File Record : 0000000000000000hNext Attribute ID : 13MFT Record Index : 0Update Seq Number : 1714Update Seq Array : 01150000Attributes:-----------+-------------------------------------------------------------------------------------------------------------+| Id | Type | Non-resident | Length | Overview |+-------------------------------------------------------------------------------------------------------------+| 1 | $STANDARD_INFORMATION | False | 72 | File Created Time : 2021-02-18 05:45:18 || | Raw address: 0000c0000050h | | | Last File Write Time : 2021-02-18 05:45:18 || | | | | FileRecord Changed Time : 2021-02-18 05:45:18 || | | | | Last Access Time : 2021-02-18 05:45:18 || | | | | Permissions : || | | | | read_only : 0 || | | | | hidden : 1 || | | | | system : 1 || | | | | device : 0 || | | | | normal : 0 || | | | | temporary : 0 || | | | | sparse : 0 || | | | | reparse_point : 0 || | | | | compressed : 0 || | | | | offline : 0 || | | | | not_indexed : 0 || | | | | encrypted : 0 || | | | | Max Number of Versions : 0 || | | | | Version Number : 0 |+-------------------------------------------------------------------------------------------------------------+| 2 | $FILE_NAME | False | 74 | Parent Dir Record Index : 5 || | Raw address: 0000c00000b0h | | | Parent Dir Sequence Num : 5 || | | | | File Created Time : 2021-02-18 05:45:18 || | | | | Last File Write Time : 2021-02-18 05:45:18 || | | | | FileRecord Changed Time : 2021-02-18 05:45:18 || | | | | Last Access Time : 2021-02-18 05:45:18 || | | | | Allocated Size : 1417412608 || | | | | Real Size : 1417412608 || | | | | ------ || | | | | NameType : DOS & WIN32 || | | | | Name : $MFT |+-------------------------------------------------------------------------------------------------------------+| 3 | $DATA | True | 2073034752 | Size: 2073034752 (1.93 GiB) || | Raw address: 0000c0000140h | | | Dataruns: || | | | | Length: 0000c820 Offset: 000c0000 || | | | | Length: 000053a3 Offset: 00adb375 || | | | | Length: 000035fe Offset: 0055d48a || | | | | Length: 0000323f Offset: 0103745c || | | | | Length: 0000c819 Offset: 01e90c48 || | | | | Length: 0000c819 Offset: 06379147 || | | | | Length: 000027ce Offset: 05391ba4 || | | | | Length: 0000a4d4 Offset: 07122acc || | | | | Length: 000063f4 Offset: 04255ee4 || | | | | Length: 00000a8e Offset: 06c65c0c || | | | | Length: 000001ad Offset: 051b2127 || | | | | Length: 0000cbf2 Offset: 07166c3c || | | | | Length: 00002d83 Offset: 05db27f9 || | | | | Length: 0000406d Offset: 073cd633 || | | | | Length: 00000e97 Offset: 041df470 || | | | | Length: 00000e89 Offset: 06f2dbb7 || | | | | Length: 00000de1 Offset: 03cc3927 || | | | | Length: 00000db5 Offset: 00466aaf || | | | | Length: 00000dab Offset: 041a0cd9 || | | | | Length: 00000f95 Offset: 07315b99 || | | | | Length: 00004aa8 Offset: 01250b40 || | | | | Length: 00000ab8 Offset: 0550d6b6 || | | | | Length: 00000595 Offset: 012cc194 || | | | | Length: 000004b4 Offset: 07209d68 || | | | | Length: 000004ad Offset: 02fa5c78 || | | | | Length: 00000490 Offset: 01c4dde0 || | | | | Length: 00001c84 Offset: 02dac5a1 || | | | | Length: 00001d1a Offset: 04d84ea5 || | | | | Length: 00001264 Offset: 051c21b8 || | | | | Length: 0000003d Offset: 016a5e21 || | | | | Length: 0000079c Offset: 016a2164 || | | | | Length: 00002468 Offset: 0561ec80 || | | | | Length: 0000376a Offset: 04e83dd8 || | | | | Length: 00002b63 Offset: 05f1e700 || | | | | Length: 0000279c Offset: 019bcf80 || | | | | Length: 0000279f Offset: 0477d34c || | | | | Length: 00002fa3 Offset: 0707668c || | | | | Length: 00001551 Offset: 00dcbde8 || | | | | || | | | | Virtual size: 0 (0.00 byte) || | | | | Real size : 2073034752 (1.93 GiB) |+-------------------------------------------------------------------------------------------------------------+| 4 | $BITMAP | True | 254944 | Index Node Used : 1752184 || | Raw address: 0000c0000290h | | | |+-------------------------------------------------------------------------------------------------------------+But last but not least
logfile.dump disk=1 volume=3 output=log.log format=raw
LogFile from \\.\PhysicalDrive1 > Volume:3------------------------------------------[+] Opening \\?\Volume{3de295f9-1d5e-4f1d-bbce-fb5e97329559}\[+] Reading $LogFile record[+] $LogFile size : 64.00 MiBs[+] Creating log.log[!] Unable to find corresponding $DATA attribute[+] Processing data: 0.00 byte[+] Closing volume[+] Closing volumeMetadata
Metadata
Assignees
Labels
No labels