Skip to content

$MFT analysis, deprecated switches? #15

Open
Open
$MFT analysis, deprecated switches?#15
Assignees
secDre4mer
@AndrewRathbun

Description

@AndrewRathbun
AndrewRathbun
opened on Sep 6, 2024

https://thor-manual.nextron-systems.com/en/latest/usage/special-scan-modes.html#mft-analysis

I've been trying to trigger the MFT Module for a long time without success and I'm not sure what I'm doing wrong. To start, I created a directory containing only a $MFT file:

PS C:\Program Files\Thor> dir c:\temp\mft


    Directory: C:\temp\mft


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----          9/6/2024   4:30 PM                Thor
-a----          9/6/2024   3:35 PM      819986432 $MFT

I then ran a scan hoping to trigger scanning the offline $MFT file:

.\thor64.exe --lab -p C:\temp\mft --alldrives -e C:\temp\mft\Thor --mft

But it only triggered the FileScan Module. I then tried triggering the MFT Module by specifying it on the command line, per the instructions here :

.\thor64.exe -a MFT -p C:\temp\mft

and it took 0 seconds to scan. Not sure what if this is expected behavior or not, but it doesn't appear to be working successfully with offline $MFT files, in my testing.

Lastly, it appears -maxmftsize is an unknown flag when I try to use it:

Use --fullhelp to see the complete help with all options.
Also see the THOR manual at: https://thor-manual.nextron-systems.com/en/latest/usage/scan.html#examples
unknown flag: --maxmftsize

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions