1

I am trying to extract the contents of the Master File Table (MFT). I have copied the MFT from my NTFS volume and saved it as a .bin file. Now I am trying to read this file using the unpack function provided in Python. I am reading the 8 bits allocated for the actual file size stored in the File Name attribute of a file record like this

d['real_fsize'] = struct.unpack("<d",s[48:56])[0]

The problem I am facing is that the file size I am getting is like 3.5e-323. The MFT saves the file size in bytes but the answer I am getting seems to be absurd. So is there any way I could correct it?

phuclv
  • 37,963
  • 15
  • 156
  • 475
user3294786
  • 177
  • 2
  • 10

2 Answers2

1

The file name attribute is not accurate to display file size correctly. As I understand it, it's updated when the file is viewed in Windows explorer because the file name attribute is part of the INDX blocks for folders. So it's easier when you navigate to show what you have in the directory tree than to re-parse the file record to find it's size. There are also other sizes in the file name attribute structure that refer to the attribute's name and the actual file name size.

The accurate size of the file is given by the DATA attribute (type 0x80) and a file might have multiple data attributes. The unnamed DATA attributes are the main content of the file.

Sebastian-Laurenţiu Plesciuc
  • 2,413
  • 1
  • 24
  • 41
  • I tried by reading the length of the DATA attribute as given in its Header. However the length being displayed still seems incorrect. For any file(no matter how small) it has a base value of 72 e.g i had a file of size 3kb the length being displayed is 72 units , for a file of size 27kb length is 80kb and for 270kb its 92 units. ANY EXPLANATION for this? @Sebastian-Laurenţiu-Plesciuc – user3294786 May 19 '15 at 15:43
  • Sorry to resurrect an old post! But if the size of the file is given by the DATA attribute, the data attribute only specifies the cluster count that the file uses. So that will only get the size of the file in multiples of the cluster size surely? How do I get the actual file size of the file, not just the cluster size multiple of the file? Hopefully that makes sense :) – GoldieLocks Feb 25 '19 at 16:05
  • @GoldieLocks It's been at least 4 years since I last touched NTFS, but as far as I can remember there is a field that contains the size of the attribute $DATA value. Just as the field for $FILENAME has a field that says its size. It should tell you how much to shave off the last cluster – Sebastian-Laurenţiu Plesciuc Feb 26 '19 at 11:31
0

You're trying to read an integer (a ULONGLONG) as a double floating-point value, which will give bogus results.

Instead of the d (for double) struct format, use Q (for QWORD):

d['real_fsize'], = struct.unpack("<Q", s[48:56])

and you should see a reasonable value.

nneonneo
  • 171,345
  • 36
  • 312
  • 383