Hi all,

I was wondering if someone had access to or could offer help on how to read in the Master File Table of a running computer. I know that there are problems that do this (FTK Imager) that creates an image of a current MFT, and I was wondering if anyone could offer help or point me to a place that taught me how to do the same thing?

Thank you!

How good are you at Assembly? If I'm not mistaken, that is the only language that can get you into it. Although, I might be wrong.

I'm not sure, but I think assembly isn't needed here, as MFT is an actual file on the disk, all you have to do is access it and examine it... Not sure where it's located though, if you find out it would be nice if you shared!

Call the api function <DeviceIoControl> with the FSCTL_GET_RETRIEVAL_POINTERS ControlCode to find out, where the MFT is located on the volume ( the MFT can be fragmented ).

Create a volume-handle with the api function <CreateFile>.

Set a pointer to the mft-clusters on the volume. Call the api function <SetFilePointerEx> to do this. You can use the created volume-handle on this function call.

Read the clusters with the api function <ReadFile>.

I did it with C# on Visual Studio 2008 for an application running under Vista and it works.


Hotzenplotz257