Cannot dump $LogFile #23
Description
shell disk=1 volume=3
disk1:volume3:> ls
Inode | Type | Name | Size | Creation Date | Attributes
---------------------------------------------------------------------------------------------
4 | | $AttrDef | 2560 | 2021-02-18 05:45:18 | Hi Sy
8 | | $BadClus | 0 | 2021-02-18 05:45:18 | Hi Sy
| ADS | $Bad | 510905020416 | |
6 | | $Bitmap | 15591584 | 2021-02-18 05:45:18 | Hi Sy
| ADS | $SRAT | 68 | |
7 | | $Boot | 8192 | 2021-02-18 05:45:18 | Hi Sy
11 | DIR | $Extend | | 2021-02-18 05:45:18 | Hi Sy
2 | | $LogFile | 67108864 | 2021-02-18 05:45:18 | Hi Sy
0 | | $MFT | 2073034752 | 2021-02-18 05:45:18 | Hi Sy
1 | | $MFTMirr | 4096 | 2021-02-18 05:45:18 | Hi Sy
4502 | DIR | $Recycle.Bin | | 2019-12-07 10:14:52 | Hi Sy
9 | | $Secure | 0 | 2021-02-18 05:45:18 | Hi Sy
10 | | $UpCase | 131072 | 2021-02-18 05:45:18 | Hi Sy
| ADS | $Info | 32 | |
3 | | $Volume | 0 | 2021-02-18 05:45:18 | Hi Sy
154204 | DIR | $WINDOWS.~BT | | 2021-11-02 22:52:59 |
50617 | DIR | $Windows.~WS | | 2022-02-06 19:18:00 | Hi Ni
156 | DIR | $WinREAgent | | 2023-01-10 22:38:03 | Hi
mft.record disk=1 volume=3
MFT (inode:0) for \\.\PhysicalDrive1 > Volume:3
-----------------------------------------------
Signature : FILE
Update Offset : 48
Update Number : 3
$LogFile LSN : 305819962804
Sequence Number : 1
Hardlink Count : 1
Attribute Offset : 56
Flags : In use
Real Size : 888
Allocated Size : 1024
Base File Record : 0000000000000000h
Next Attribute ID : 13
MFT Record Index : 0
Update Seq Number : 1714
Update Seq Array : 01150000
Attributes:
-----------
+-------------------------------------------------------------------------------------------------------------+
| Id | Type | Non-resident | Length | Overview |
+-------------------------------------------------------------------------------------------------------------+
| 1 | $STANDARD_INFORMATION | False | 72 | File Created Time : 2021-02-18 05:45:18 |
| | Raw address: 0000c0000050h | | | Last File Write Time : 2021-02-18 05:45:18 |
| | | | | FileRecord Changed Time : 2021-02-18 05:45:18 |
| | | | | Last Access Time : 2021-02-18 05:45:18 |
| | | | | Permissions : |
| | | | | read_only : 0 |
| | | | | hidden : 1 |
| | | | | system : 1 |
| | | | | device : 0 |
| | | | | normal : 0 |
| | | | | temporary : 0 |
| | | | | sparse : 0 |
| | | | | reparse_point : 0 |
| | | | | compressed : 0 |
| | | | | offline : 0 |
| | | | | not_indexed : 0 |
| | | | | encrypted : 0 |
| | | | | Max Number of Versions : 0 |
| | | | | Version Number : 0 |
+-------------------------------------------------------------------------------------------------------------+
| 2 | $FILE_NAME | False | 74 | Parent Dir Record Index : 5 |
| | Raw address: 0000c00000b0h | | | Parent Dir Sequence Num : 5 |
| | | | | File Created Time : 2021-02-18 05:45:18 |
| | | | | Last File Write Time : 2021-02-18 05:45:18 |
| | | | | FileRecord Changed Time : 2021-02-18 05:45:18 |
| | | | | Last Access Time : 2021-02-18 05:45:18 |
| | | | | Allocated Size : 1417412608 |
| | | | | Real Size : 1417412608 |
| | | | | ------ |
| | | | | NameType : DOS & WIN32 |
| | | | | Name : $MFT |
+-------------------------------------------------------------------------------------------------------------+
| 3 | $DATA | True | 2073034752 | Size: 2073034752 (1.93 GiB) |
| | Raw address: 0000c0000140h | | | Dataruns: |
| | | | | Length: 0000c820 Offset: 000c0000 |
| | | | | Length: 000053a3 Offset: 00adb375 |
| | | | | Length: 000035fe Offset: 0055d48a |
| | | | | Length: 0000323f Offset: 0103745c |
| | | | | Length: 0000c819 Offset: 01e90c48 |
| | | | | Length: 0000c819 Offset: 06379147 |
| | | | | Length: 000027ce Offset: 05391ba4 |
| | | | | Length: 0000a4d4 Offset: 07122acc |
| | | | | Length: 000063f4 Offset: 04255ee4 |
| | | | | Length: 00000a8e Offset: 06c65c0c |
| | | | | Length: 000001ad Offset: 051b2127 |
| | | | | Length: 0000cbf2 Offset: 07166c3c |
| | | | | Length: 00002d83 Offset: 05db27f9 |
| | | | | Length: 0000406d Offset: 073cd633 |
| | | | | Length: 00000e97 Offset: 041df470 |
| | | | | Length: 00000e89 Offset: 06f2dbb7 |
| | | | | Length: 00000de1 Offset: 03cc3927 |
| | | | | Length: 00000db5 Offset: 00466aaf |
| | | | | Length: 00000dab Offset: 041a0cd9 |
| | | | | Length: 00000f95 Offset: 07315b99 |
| | | | | Length: 00004aa8 Offset: 01250b40 |
| | | | | Length: 00000ab8 Offset: 0550d6b6 |
| | | | | Length: 00000595 Offset: 012cc194 |
| | | | | Length: 000004b4 Offset: 07209d68 |
| | | | | Length: 000004ad Offset: 02fa5c78 |
| | | | | Length: 00000490 Offset: 01c4dde0 |
| | | | | Length: 00001c84 Offset: 02dac5a1 |
| | | | | Length: 00001d1a Offset: 04d84ea5 |
| | | | | Length: 00001264 Offset: 051c21b8 |
| | | | | Length: 0000003d Offset: 016a5e21 |
| | | | | Length: 0000079c Offset: 016a2164 |
| | | | | Length: 00002468 Offset: 0561ec80 |
| | | | | Length: 0000376a Offset: 04e83dd8 |
| | | | | Length: 00002b63 Offset: 05f1e700 |
| | | | | Length: 0000279c Offset: 019bcf80 |
| | | | | Length: 0000279f Offset: 0477d34c |
| | | | | Length: 00002fa3 Offset: 0707668c |
| | | | | Length: 00001551 Offset: 00dcbde8 |
| | | | | |
| | | | | Virtual size: 0 (0.00 byte) |
| | | | | Real size : 2073034752 (1.93 GiB) |
+-------------------------------------------------------------------------------------------------------------+
| 4 | $BITMAP | True | 254944 | Index Node Used : 1752184 |
| | Raw address: 0000c0000290h | | | |
+-------------------------------------------------------------------------------------------------------------+
But last but not least
logfile.dump disk=1 volume=3 output=log.log format=raw
LogFile from \\.\PhysicalDrive1 > Volume:3
------------------------------------------
[+] Opening \\?\Volume{3de295f9-1d5e-4f1d-bbce-fb5e97329559}\
[+] Reading $LogFile record
[+] $LogFile size : 64.00 MiBs
[+] Creating log.log
[!] Unable to find corresponding $DATA attribute
[+] Processing data: 0.00 byte[+] Closing volume
[+] Closing volume
Metadata
Metadata
Assignees
Labels
No labels