Releases: kacos2000/MFT_Browser
Releases · kacos2000/MFT_Browser
MFTBrowser.exe (x64)
[Update list]
- Corrected $Volume_info Attribute flag decoding - now the flags (hex) are converted to LE first ie 0x8000 is flag 0x0080 ("tunneling cache & Short filenames disabled)
MFTBrowser.exe (x64)
[Update List]
-
Added undocumented 0x80000000 $Standard_Information Attribute flag
-
Updated/corrected $Volume_info Attribute flags as follows:
Hex Binary Description # 0x0000 0000000000000000 Volume is OK # 0x0001 0000000000000001 Is dirty # 0x0002 0000000000000010 Re-size journal ($LogFile) # 0x0004 0000000000000100 Upgrade Volume version underway # 0x0008 0000000000001000 Mounted on Windows NT4 # 0x0010 0000000000010000 Delete USN underway # 0x0020 0000000000100000 Repair Object IDs underway # 0x0040 0000000001000000 Volume is corrupt and caused a bug check # 0x0080 0000000010000000 Tunneling cache, Short filenames disabled # 0x0100 0000000100000000 Full Chkdsk scan underway # 0x0200 0000001000000000 Proactive scan underway # 0x0400 0000010000000000 TxF feature is disabled # 0x0800 0000100000000000 Volume scrub disabled # 0x1000 0001000000000000 $Verify and $Corrupt disabled # 0x2000 0010000000000000 Heat gathering disabled # 0x4000 0100000000000000 Chkdsk underway # 0x8000 1000000000000000 Modified by Chkdsk
MFTBrowser.exe (x64)
[Update List]
- Corrected typo
- Separated fix-up entries
MFTBrowser.exe (x64)
[Update List]
- Added millisecond precision to all timestamps, which are now in formatted as:
'dd/MM/yyyy HH:mm:ss.fffffff' - Corrected a tag (offset of $Upcase:$Info resident content showing Win version used to format drive)
Note: All timestamps are in UTC
MFTBrowser.exe (x64)
[Change Log]
- Hard-Links are processed correctly
- ADS Streams & Extension records are added to Hard-Link targets correctly
Note: This results in many additional tree nodes that need to be added/populated, thus increasing processing time .... :(
MFTBrowser.exe (x64)
[Change Log]
- Updated parent/child matching is now more accurate
- In cases of Records with multiple $File_Name attributes, pointing to different parents (hard-links) , only the first $filename attribute is processed.
- Added stats popup at the end of processing
- Fixed typo resulting in $Volume_Information status flags not being read correctly.
MFTBrowser.exe (x64)
[Change Log]
- Added the $MFT extended records as sub-nodes to their parent file/directory nodes (colored red) in the form of:
[Record: 55, SeqNr: 5] - Added record reference numbers (I called them IDs) in the form of '0005000000000005' to the Properties tree.
- these are comprised by the (Hex): [Sequence number (2 bytes)][MFT record number (6 bytes)]
- these IDs are referenced as 'File reference number' in fsutil
- when clicked, the referenced record is selected in the directory tree
- Applicable to:
- MFT record ID (record header)+($Index_Root attribute entries)
- MFT base record ID (record header)+($Index_Root attribute entries)
- MFT parent ID ($Filename attribute) + ($Attribute_list attribute entries)+($Index_Root attribute entries)
- Added 'Node Properties' right click option to the Directory tree (same as double clicking a node, opens the Properties tree for that record)
- Fixed Directory tree node sorting
- Fixed a few typos
- Clicking on the status bar copies the displayed status text to clipboard
Note: With the addition of extension records, the required time to populate the directory tree has increased.
eg. 500Mb $MFT, opening time from ~30mins --> ~38mins
MFTBrowser.exe (x64)
[Change Log]
- Optimizations resulting in better overall speed
MFTBrowser.exe (x64)
[Change Log]
- Optimizations
- Fixed bug when encountering $Reparse Point Tag Value: 0x9000701A
MFTBrowser.exe (x64)
[Change Log]
- Corrected offset typo ('[0x28] $MFT Record Nr' to '[0x2C] $MFT Record Nr')