I was teaching RAM analysis at the Swedish Police Academy this week, which included a segment on parsing out the MFT. This is an extraordinary capability that opens up a view of the disk to an investigator, which they may not have. Perhaps the RAM was taken but the plug pulled on an encrypted disk or maybe because of covert imaging considerations.
Each MFT entry is 1024 bytes which is taken up by the file name, accessed, modified and created dates and so on. However, if this data plus the file data is less than the 1024 bytes then the raw file data, the hex, is written to the MFT itself rather than out onto the disk somewhere.
The MFT parser is simple to run once you have an instance of Volatility running (see https://code.google.com/p/volatility/)
Python vol.py mftparser –f pathtoRAM >> pathtoaTEXTfile
When you view the rather verbose output from the Volatility MFT parser you stumble across entries that look like Fig 1:-
Here we can see a GIF image named AU_bg_TopMiddle.gif created way back in May 2005. The text output contains 3 columns: the virtual file offset addresses, the raw hex and the ASCII interpretation of the hex.
One of the students said it would be cool if we could ‘carve’ the original file out of the MFT result. Of course you could simply use Foremost, Photorec or a host of other data carvers on the RAM dump itself and the image would be found but it would have no file name, no metadata and be completely unattributable.
So, this seemed like a good idea to try.
I copied the $DATA chunk out of the text file, but being a text file it was completely unfriendly, dragging the other 2 columns with it. See Fig 2.
Next I manually deleted all the addresses, then all the interpreted ASCII to leave myself with the raw data. (Fig 3)
Then I fired up the awesome WINHEX and attempted to import it as ASCII-HEX but it was rather unhappy with the carriage returns and spaces. After about 20 minutes of faffing about I eventually managed to have the raw data sat in the Winhex window and it saved as a tiny, pointless GIF. But it worked!
That evening at the hotel I decided that a Python script was in order and a few hours later I had finished MFT2File.py. You can download it here.
Life is now much easier. Copy the chunk of data out of the MFT from below the $DATA line to the end of the Interpreted ASCII into a text editor like Notepad++ and save it in the same folder as MFT2File.py (to make life easier). Also, make a note of the original file name.
Next, open a command shell, ‘cd’ into the folder with the .py and text files in and run:-
First it will ask for the name of the original file. Make sure you at least get the extension right.
Second, it will ask you for the filename of the text file you made (and path if you didn’t put it in the same folder like I suggested). Fig 3
That’s it. The file will be magically recreated in the same folder as the .py file.
These files are small and some are text anyway like cookies and HTML file etc. However, it is great to see them as the original file and a fun project.
P.S.- Michael Ligh from the Volatility dev team just let me know that Volatility 2.4 will have a dump option to achieve this which is superb!