Jump to content
Sign in to follow this  
joakim

RawCopy - low level file copying (extraction)

Recommended Posts

joakim

Here is a low level file copy console application. It works by reading directly from the physical disk and interpreting the Master File Table. It is NTFS only supported. Copying files from a volume this way takes, to no surprise, longer than by regular file copying. The advantage is to be able to copy files that otherwise are locked for some reason. That means as long as a given file has its own $MFT record number (index number), and its sectors are not overwritten, then you can extract the file.

For a demo, try to copy the SYSTEM hive from your running system. Normally it is locked.

The download along with the rest of the NTFS utilities can be found here: http://code.google.com/p/mft2csv/downloads/list

More documentation can be found in the wiki section on the same link.

Share this post


Link to post
Share on other sites
money

Who knew accessing the MFT was possible in AutoIt??

Bumping so maybe someone with more experience will find use out of it

Edited by money

Share this post


Link to post
Share on other sites
dany

Well, thanks for bumping. Looks way over my head, but I bet I can get some practical use out of RawCopy.


[center]Spiderskank Spiderskank[/center]GetOpt Parse command line options UDF | AU3Text Program internationalization UDF | Identicon visual hash UDF

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Similar Content

    • rudi
      By rudi
      Hello,
      Propably not an absolute clean approach, (not checking/caring about little / big endian), but it's doing, what I need: Return the last modified time stamp including the milliseconds:
       
      #include <Date.au3> $file = "c:\temp\test.txt" ; file must already exist $TSLastModMs = GetFileLastModWithMs($file) ConsoleWrite('@@ Debug(' & @ScriptLineNumber & ') : $TSLastModMs = ' & $TSLastModMs & @CRLF & '>Error code: ' & @error & @CRLF) ;### Debug Console Func GetFileLastModWithMs($_FullFilePathName) local $h = _WinAPI_CreateFile($_FullFilePathName, 2, 2) local $aTS = _Date_Time_GetFileTime($h) _WinAPI_CloseHandle($h) local $aDate = _Date_Time_FileTimeToArray($aTS[2]) ; [2] = LastModified Return StringFormat("%04d-%02d-%02d %02d:%02d:%02d.%03d", $aDate[2], $aDate[0], $aDate[1], $aDate[3], $aDate[4], $aDate[5], $aDate[6]) EndFunc ;==>GetFileLastModWithMs >Running AU3Check (3.3.14.5) from:C:\Program Files (x86)\AutoIt3 input:C:\temp\filetime.au3 +>12:10:00 AU3Check ended.rc:0 >Running:(3.3.14.5):C:\Program Files (x86)\AutoIt3\autoit3.exe "C:\temp\filetime.au3" --> Press Ctrl+Alt+Break to Restart or Ctrl+Break to Stop @@ Debug(8) : $TSLastModMs = 2018-09-07 10:09:54.073 >Error code: 0 +>12:10:00 AutoIt3.exe ended.rc:0 +>12:10:00 AutoIt3Wrapper Finished. >Exit code: 0 Time: 0.9068 Regards, Rudi.
       
      --- original posting - what was my problem, below ---
       
      doing some search I found postings, stating that 2s will be the smallest time resolution for filegettime(). 2s seem to be fact for FAT as FS, NTFS has a much finer granularity.
       
      This posting states, that NTFS has a granularity of 100ns:
      https://superuser.com/questions/937380/get-creation-time-of-file-in-milliseconds
      is it possible to get more than just the "second" information? The reason, why I need this is, that I need to sort files by their creation sequence, and it can happen, that two files are created within the same second, so I cannot resolve their creation order without "millsecond info".
       
      Regards, Rudi.

       
      edit: I just tried PowerShell, there it's possible to retrieve even more than millisecond information:
       
      Millisecond : 336
      Ticks       : 636719150403363219
      TimeOfDay   : 11:04:00.3363219
       
      PS C:\Users\Rudi> echo test > test.txt PS C:\Users\Rudi> $(Get-ChildItem .\test.txt).creationtime | format-list Date : 07.09.2018 00:00:00 Day : 7 DayOfWeek : Friday DayOfYear : 250 Hour : 11 Kind : Local Millisecond : 336 Minute : 4 Month : 9 Second : 0 Ticks : 636719150403363219 TimeOfDay : 11:04:00.3363219 Year : 2018 DateTime : Freitag, 7. September 2018 11:04:00 regards, Rudi.
×