RawCopy is a file copier for NTFS that uses low-level disk reading and resolves data clusters by parsing the $MFT.
It should be able to copy any file off the volume. Even those locked by the system like the registry hives, or the NTFS system files like $MFT and $LogFile etc. It effectively bypasses all filesystem security.
Source file can be given file path and filename. Or it can be reference by the IndexNumber (MFT reference number/inode).
Output directory must exist.
Also there is an option to also extract all attributes, not just $DATA. This is nice if you want to look at non-resident $Bitmap, $EA, $INDEX_ALLOCATION etc, that may also be fragmented, meaning not many tools will let you extract these.
Here are the available commands:
Example copying C:file.ext to E ut:
RawCopy C:file.ext E utExample copying C:WINDOWSsystem32configSAM to F:reg with all attributes including $DATA
RawCopy C:WINDOWSsystem32configSAM F:reg -AllAttrExample copying IndexNumber 20112 from C: volume to D:bak only $DATA attribute
Like it? Love it? Leave a comment below. Please note that comments requesting support or pointing out listing errors will be deleted. Visit our Support Forums for help or drop an email to mgnews @ majorgeeks.com to report mistakes. Thank you!comments powered by Disqus