MFT Browser Versions Save

[Updates]

• Updated/fixed error when Extracting the $MFT from a mounted volume.
  The error was created while creating the MD5 hash of $MFT files larger than 2Gb.
  Now the Hash is created while writing the Data Runs to the exported file (in chunks).

MD5: 049D10E56568D51E50669B23959A6DB1 SHA256: 5763D07DA69847DDD8532856D149EE721CD4D23E210BF4B416BF7CAC259F8A5A

[Updates]

• New (updated) Digital Signature
• Changes to support PowerShell 7.x (.ps script only)

MD5: 3DF45AB47D6AACA9F903E610F0C21B45 SHA256: BC2CD203EB943AD7ABDDC8158C66D18DA0734FC2F4A32EF0DE65790D94AB278E

[Updates]

• Much faster $MFT extraction (writes whole extends instead of each cluster)
• Added MD5 Hash calculation of the extracted $MFT (shown after the extraction)
• Added option to stop processing after extracting the $MFT

MD5: 229D01E6794A1367CC05A70EAEB6215C SHA256: 639F86073957276335E77A82B999CD6964CFEC8A1CB203C766FA20E9708FACD2

[Updates]

• Corrected the 'Extract $MFT' bug (when the $MFT has negative data runs ) until proven wrong :)
  Corrected the original script by @secabstraction as well .
• A few other minor fixes

MD5: 597AC7EB75CBC39F5E833C40A0499918 SHA256: 8EF3094BB7ACE1D2E1A71148F1A27E5A0BADA5C955A7A5AA159B7EA50BF65FCA

[Known-Bug]

• The source script by @secabstraction I used to extract the $MFT from a live NTFS Volume did not account for an $MFT with negative data-runs . <Br>New update with a fix will be up soon.

[Updates]

• Added auto-check GitHub for new version in 'About'
• Updated a few error-avoidance stuff
• Code optimizations
• Excluded the following Alternate Data Streams from being added to the directory tree
  (can cut processing time by quite a lot in large $MFTs):

      'Zone.Identifier',
      '$Corrupt', 
      '$Config', 
      '$I30',
      '$T', 
      '$O', 
      '$Q', 
      'SII', 
      '$SDH', 
      '$SDS', 
      '$SRAT', 
      '$Bad', 
      '$Verify',
      'WofCompressedData',
      '$TX', 
      '$TXF_DATA',
      '$TXF_DAA', 
      '$DSC', 
      '$EFS', 
      'Win32App_1', 
      'dropbox.attrs', 
      'dropbox.attributes',
      'com.dropbox.attrs',
      'com.dropbox.attributes',
      'OECustomProperty', 
      'encryptable'

MD5: F810F6F7177DFBC6BAAD656E956DF382 SHA256: 2266750B0C54296A20553428C995B77296BAD7C8F6C43CCF0480478963D9FEAB

[Updates]

• Added option to read a RAW image, carve valid FILE records & create a Directory tree
  (Works best if there is/was only one NTFS partition in the image)
  (Works with $MFT files as well)
• Search by File Id: can now convert Record/Sequence numbers to File record Id
  (or File reference number as fsutil calls it):
• Improved handling of corrupt records
• Supports both 1024 and 4096 byte record size (detection on file load)
• Code optimizations

MD5: 397D604F1AC13F410C9237DFCABE39B7 SHA256: D5305AB6291FB825B181CE22DB42FB06B08161E77873C11A73D2E1AE62D1E0C5

[Updates]

• search by File Id: can now convert Record/Sequence numbers to File Id
  (or File reference number as fsutil calls it):

  

MD5: B82750E1531218A75BDF3C87AF4FCC93 SHA256: 78A1B81C400728C252139A73314BEAFC4082E3857305CCB2431E46813DABF114

[Updates]

• More accurate population of Directory tree
• Small speed increase
• Added option to search by File Id (MFT Sequence Nr + Record Nr e.g.: '0005000000000005' for the Root Dir)
• Further code re-organization, optimizations & bug fixes

MD5: 42D0B460AF6B7B0D1E795FA96EB3F930 SHA256: 928F496061D245BB7FA9DF2F5D777D57A9DCDE9C2A6E244E4C0CBDE103AF997F

[Updates]

• Correction in '[System.Linq.Enumerable]' sorting
• Minor fixes & speed increase with extension records

PS: populating the directory tree is still under-development

MD5: 4EE781F615F9DB26FAAFE4286AA7DE2C SHA256: 0D3512F66ACBE222993CC664C563727EC7EF26F0279BE473B8CD10B4A50C0825

[Updates]

• Further code re-organization, optimizations & bug fixes
• Switched from PowerShell parts to '[System.Linq.Enumerable]'
• Speed is basically only limited by [System.Windows.Forms.TreeView] node find

MD5: B66039927DC581648B11AE7D85E2FCD0 SHA256: 30BB1DF4788D71066A1BA228B7B4286E75B52C39AA73AFE09B47311F17817BBA