NTFS locate and read $MFT from RAW

Question

I'm currently trying to programmatically parse the MFT of my hard drive from it's raw data in order to enumerate all files with a specific extension (in a really short time).

I'm following that tutorial to guide myself: A Programmers View of Raw Filesystem Data Extraction .

I've successfully opened \\.\PhysicalDrive0 using CreateFileA, and I did locate the first sector of my Windows partition where I found the BPB.

My problem is that I'm unable to properly locate the MFT.

As you can see above (raw data of the first sector of my Windows partition), the logical cluster number of the MFT is equal to 0x56a6.

I then calculated the number of sectors per clusters which is 0x20 (0x20 * 512 = 0x4000 bytes).

So logically the MFT is at offset 0x4000 * 0x56a6 which is equal to 0x15a98000.

And when I seek to that offset and retrieve the first 512 bytes I don't see the expected data which is supposed to start by FILE (I just see some random bytes).

I also tried to seek not from the first sector of the partition but the one of the hard drive and it doesn't work too (I guess that's normal).

I guess that I'm missing something, but I don't know what.

I hope I've been clear enough, if you need more details and informations I'll provide them.

Thanks.

Answer 1

According to the definition of NTFS_BOOT_SECTOR struct in the document, the offset of uchSecPerClust is 3 + 4 + 4 + sizeof(WORD)= 0x0D.(Ignore byte alignment)

Or you can uses DeviceIoControl with the IOCTL_DISK_GET_DRIVE_GEOMETRY control code to fill a DISK_GEOMETRY structure with information about the drive:

https://learn.microsoft.com/en-us/windows/win32/devio/calling-deviceiocontrol

Another useful control code: FSCTL_ENUM_USN_DATA