Extract the MFT With icat and Parse it With analyzeMFT in Linux Ubuntu 12.04
The master file table (MFT) is a database that contains information about all files on an NTFS file system. Among other things, the MFT tracks times, size, name, and location of every file including itself. It stores this information in entries, appropriately named MFT entries. Each MFT entry gets assigned its own record number.
AnalyzeMFT is Python tool designed to fully parse the MFT and present the results in a format that allows further analysis with other tools. Extracting the MFT out of an NTFS file system and parsing it with analyzeMFT will provide you with a wealth of information contained in these entries. For each entry in the MFT a record is written to an output file in CSV format.
AnalyzeMFT comes preinstalled in Linux Live DVD’s like the SIFT. For the purposes of this article, I used an examination computer with Ubuntu 12.04 installed on it.
The plan is to extract the MFT from an NTFS file system and then parse it. To extract the MFT we are going to use two sleuthkit tools. Finally we will parse the MFT with a python tool.
Installing the tools:
The tools that we will need are not included in Ubuntu by default. The tools that we will need to extract the MFT are called mmls and icat. They are part of the set of command line tools from the sleuthkit. The sleuthkit can be downloaded from Ubuntu Software Center. So let’s head over to the Ubuntu Software Center.
Click on the Dash Home circle, located on the top left of your screen, type in “software” and click on the Ubuntu Software Center icon that will appear.
After the Ubuntu Software Center opens, you will see a search box on the top-right corner of your screen. Type “sleuthkit” and click on the install button. You will be prompted for your root password. Enter your root password and wait for the program to install.
Once the sleuthkit is installed, we also need to install the Tkinter Python module. Tkinter is the standard Python interface to the Tk GUI toolkit. AnalyzeMFT needs this module for its operation.
Type “python” in the search box and click on the “more info” tab.
Navigate down to the add-ons area and place a check mark next to the “Tkinter” add-on. Click on “apply changes” to install.
Now that you have the tools that we need, close the Ubuntu Software Center. The next step is to download analyzeMFT from this link https://github.com/dkovar/analyzeMFT/downloads. Download the zip file and then extract the files from the zip file.
Now let’s prepare a working folder for our files. Go to your desktop, right click on your desktop and select “create new folder”, name it “Test”.
Go to the location where you downloaded the analyzeMFT tool and locate the file named “analyzeMFT.py”.
Copy the “analyzeMFT.py” file into the Test folder on the desktop. The “analyzeMFT.py” file is in fact a python script.
Now find an E01 or a DD image of an NTFS file system. Find an image or make an image of a small drive formatted as NTFS with one file in it. Copy the image into the “Test” folder on the desktop.
For the purposes of the article, I used a previously acquired E01 image of a 256MB thumb drive with one jpg file contained in the volume. I named the E01 image “testimage.E01” and I named the jpg file “TestPicture.JPG”
Let’s get started! Open a Terminal Window. In Ubuntu you can accomplish this by pressing Ctrl-Alt-T at the same time or by going to the Dash Home and typing in “terminal”.
Once the terminal window is open, navigate to the previously created Test folder on the desktop. We will use the CD command to change directory into the desktop. Type the following into the terminal.
Replace “carlos” with the name of the user account you are currently logged on as. After doing so, press enter. You should receive these results.
The dollar sign after Test indicates that “Test” is your current directory, exactly what we wanted. Let’s see if we have the python script and the E01 image in our current directory. For that we will use the LS command, which stands for list (files). Type “ls -l” and press enter. LS is the list files command. The flag -l uses a long listing format.
Notice that we are in the Test directory and yes, we do have the python script and the image in our directory.
Now we need to determine the starting sector of the NTFS volume inside of the E01 image. To do that we will use the sleuthkit tool mmls. Mmls is a tool that can display the partition layout of a volume system (partition tables). Mmls supports E01 images natively, so there is no need to convert the E01 to a DD. Type the following into the terminal.
Replace “testimage.E01” with the name of your image. After doing so, press enter. These are my results.
Notice that the NTFS volume inside of my image starts at sector 2048. We need this information to pass it along to the next command.
It is now time to extract the MFT out of the NTFS volume with icat. Icat is a tool that can output the contents of a file based on its record number. In an NTFS file system the MFT always has record number 0. Extract the MFT with the below command.
icat -o 2048 testimage.E01 0 > mft.raw
Icat is the command to output the contents. The flag -o tells icat to look at sector 2048 which is the starting sector of my NTFS volume. The volume in this instance is an NTFS file system that icat can automatically recognize. “Testimage.E01” is the image that contains the volume. The number “0” is the record number that we want to output the contents of, which in this instance is the MFT. The “>” is a terminal character that can redirect standard output content to a file. In this instance, we will use that character to redirect icat’s output of record number 0, to a file appropriately named mft.raw, into our current directory. The “raw” file extension given to the filename is irrelevant, of no use. Press enter, and type your root password (if needed).
If you got your cursor back then that means that the command worked according to your input and that there were no errors to display, which means that it worked.
Let’s see if we have the MFT in our current directory. Type “ls -l” and press enter.
Notice that we are still in the Test directory and yes, we do have the mft.raw file in our directory.
It is now time to parse the MFT with analyzeMFT. Parse the MFT with the below command.
python analyzeMFT.py -f mft.raw -o mftanalyzed.csv
Python is the command to run the “analyzeMFT.py” python script. The flag -f tells analyzeMFT to read from file, which in this instance is the file named mft.raw. The flag -o tells analyzeMFT to write to file. In this instance we are writing the results to a file named mftanalyzed.csv into our current directory. The “csv” file extension given to the filename is done so that the file is automatically associated with a spreadsheet program. Press enter, and type your root password (if needed).
If you got your cursor back then that means that it worked.
Now open Nautilus, navigate to the mftanalyzed.csv file inside of the Test folder and open it with LibreOffice Calc. LibreOffice Calc is Ubuntu’s default spreadsheet viewer.
When it opens, you will be asked to select how you want LibreOffice Calc to interpret the fields in your file. The options will be under the Separator Options area. I chose to have the data separated by “Comma”, by adding a checkmark next to it. After doing so I pressed “Ok”.
The file will then open and it will display the data that was parsed from the mftanalyzed.csv file in order of MFT records. The file offers the following information for each record to include: Record Number, Good – if the entry is valid, Active – if the entry is active, Record type – the type of record, Record Sequence – the sequence number for the record, Parent Folder Record Number, Parent Folder Sequence Number. For the standard information attribute: Creation date, Modification date, Access date, Entry date. For up to four file name records: File name, Creation date, Modification date, Access date. Entry date, Object ID, Birth Volume ID, Birth Object ID, Birth Domain ID, and more.
You can also search the spreadsheet for any keywords by pressing “Cntr” and “f” at the same time. The results will point you to the file’s record number.
I conducted a search of the spreadsheet for the keyword “testpicture”. It found one match. That match was the “TestPicture.JPG”. Notice that the “TestPicture.JPG” file is assigned MFT record 64. With this information you can tell icat to extract it or any other file from an NTFS volume.
And there you have it!
Icat was able to extract record number 0, the MFT, and then we parsed it with the Python script analyzeMFT. These are powerful tools that can give you an edge when you need it most.
If this procedure worked for your case, and you are able to use it in the course of your investigation, we would like to hear from you. Please post your comments or email the author of this article at firstname.lastname@example.org.