Recovering MFT records from unallocated space or $Logfile

The $Logfile in NTFS file systems is a transaction journal of changes to the $MFT. You can commonly find file fragments and MFT records in this file. You can also sometimes find MFT records in unallocated space. MFT records are fairly easy to read once you know the structure, but I wanted an easier what to extract them and put them in a report type display. The value of searching and looking for old MFT records is that you can often find MFT records that show the filename of a file that no longer exists and extract the metadata about that file, such as timestamps and what the parent folder was.

To use this EnScript, conduct a keyword search for the MFT record header of 'FILE'. A good keyword is FILE[0\*] marked as GREP and case sensitive. Search the $Logfile, unallocated or any other file you want. Once the search is completed, view the results and select (blue check) the search hits you want to extract into readable text:



Once you have selected certain search hits (or all of them) run the EnScript and look in the console. Valid MFT records will be decoded and written out into the Console for easy reading and you can copy and paste into a report if you wish:



In the future I will add the search function into the script itself so you don't have to manually perform the search, I was just lazy and wrote it to fulfill a quick need. I also have an Enscript that will decode INDX (directory entries) records found in the $logfile (or any other file you wish) which I will publish soon.

Tested in v6.5
Download Here