Home > Blockchain >  I am trying to get the MFT Reference number for the $USNJRNL file. I have dumped the information but
I am trying to get the MFT Reference number for the $USNJRNL file. I have dumped the information but

Time:09-28

The output from the dump is RawCopy v1.0.0.22

Directory listing for: c:$Extend

Entry number: 1 FileName: $Deleted MFT Ref: 29 MFT Ref SeqNo: 1 Parent MFT Ref: 11 Parent MFT Ref SeqNo: 0 Flags: hidden system File Create Time: 2020-03-27 22:25:39:560:2469 File Modified Time: 2020-03-27 22:25:39:560:2469 MFT Entry modified Time: 2020-03-27 22:25:39:560:2469 File Last Access Time: 2020-03-27 22:25:39:560:2469 Allocated Size: 0 Real Size: 0 NameSpace: POSIX IndexFlags: 0000 SubNodeVCN:

Entry number: 2 FileName: $ObjId MFT Ref: 25 MFT Ref SeqNo: 1 Parent MFT Ref: 11 Parent MFT Ref SeqNo: 0 Flags: hidden system File Create Time: 2020-03-27 22:25:39:560:2469 File Modified Time: 2020-03-27 22:25:39:560:2469 MFT Entry modified Time: 2020-03-27 22:25:39:560:2469 File Last Access Time: 2020-03-27 22:25:39:560:2469 Allocated Size: 0 Real Size: 0 NameSpace: POSIX IndexFlags: 0000 SubNodeVCN:

Entry number: 3 FileName: $Quota MFT Ref: 24 MFT Ref SeqNo: 1 Parent MFT Ref: 11 Parent MFT Ref SeqNo: 0 Flags: hidden system File Create Time: 2020-03-27 22:25:39:560:2469 File Modified Time: 2020-03-27 22:25:39:560:2469 MFT Entry modified Time: 2020-03-27 22:25:39:560:2469 File Last Access Time: 2020-03-27 22:25:39:560:2469 Allocated Size: 0 Real Size: 0 NameSpace: POSIX IndexFlags: 0000 SubNodeVCN:

Entry number: 4 FileName: $Reparse MFT Ref: 26 MFT Ref SeqNo: 1 Parent MFT Ref: 11 Parent MFT Ref SeqNo: 0 Flags: hidden system File Create Time: 2020-03-27 22:25:39:560:2469 File Modified Time: 2020-03-27 22:25:39:560:2469 MFT Entry modified Time: 2020-03-27 22:25:39:560:2469 File Last Access Time: 2020-03-27 22:25:39:560:2469 Allocated Size: 0 Real Size: 0 NameSpace: POSIX IndexFlags: 0000 SubNodeVCN:

Entry number: 5 FileName: $RmMetadata MFT Ref: 27 MFT Ref SeqNo: 1 Parent MFT Ref: 11 Parent MFT Ref SeqNo: 0 Flags: hidden system File Create Time: 2020-03-27 22:25:39:560:2469 File Modified Time: 2020-03-27 22:25:39:560:2469 MFT Entry modified Time: 2020-03-27 22:25:39:560:2469 File Last Access Time: 2020-03-27 22:25:39:560:2469 Allocated Size: 0 Real Size: 0 NameSpace: POSIX IndexFlags: 0000 SubNodeVCN:

Entry number: 6 FileName: $UsnJrnl MFT Ref: 78263 MFT Ref SeqNo: 3 Parent MFT Ref: 11 Parent MFT Ref SeqNo: 0 Flags: hidden system sparse_file File Create Time: 2020-03-27 21:27:31:792:2895 File Modified Time: 2020-03-27 21:27:31:792:2895 MFT Entry modified Time: 2020-03-27 21:27:31:792:2895 File Last Access Time: 2020-03-27 21:27:31:792:2895 Allocated Size: 0 Real Size: 0 NameSpace: POSIX IndexFlags: 0000 SubNodeVCN:

Job took 3.03 seconds

I am trying to only put '78263' into a variable so I can use it in a command. I am using PowerShell and have tried the following code but I can not get it to pull the string.

Get-Content 'e:filepath\file.txt'

I have also tried using Select-String but can not seem to get that to work either.

Select-String -Path "e:filepath\file.txt" -Pattern 'FileName: $UsnJrnl' -Context 0,1 | Out-File -FilePath 'e:filepath\file2.txt'

I can not seem to get that to work either. Any suggestions?

CodePudding user response:

Here's an example using regular expressions on each line.

Since your input is from file rather than the section I hard-coded, you might want to exclude headers/blank lines before parsing.

I tried to keep it flexible so that you can easily get the other properties of values of other files by changing the regex.

For an explanation of the specific regex characters, plug them into a tool like https://regexr.com/

$Raw = @"
Entry number: 1 FileName: `$Deleted MFT Ref: 29 MFT Ref SeqNo: 1 Parent MFT Ref: 11 Parent MFT Ref SeqNo: 0 Flags: hidden system File Create Time: 2020-03-27 22:25:39:560:2469 File Modified Time: 2020-03-27 22:25:39:560:2469 MFT Entry modified Time: 2020-03-27 22:25:39:560:2469 File Last Access Time: 2020-03-27 22:25:39:560:2469 Allocated Size: 0 Real Size: 0 NameSpace: POSIX IndexFlags: 0000 SubNodeVCN:
Entry number: 2 FileName: `$ObjId MFT Ref: 25 MFT Ref SeqNo: 1 Parent MFT Ref: 11 Parent MFT Ref SeqNo: 0 Flags: hidden system File Create Time: 2020-03-27 22:25:39:560:2469 File Modified Time: 2020-03-27 22:25:39:560:2469 MFT Entry modified Time: 2020-03-27 22:25:39:560:2469 File Last Access Time: 2020-03-27 22:25:39:560:2469 Allocated Size: 0 Real Size: 0 NameSpace: POSIX IndexFlags: 0000 SubNodeVCN:
Entry number: 3 FileName: `$Quota MFT Ref: 24 MFT Ref SeqNo: 1 Parent MFT Ref: 11 Parent MFT Ref SeqNo: 0 Flags: hidden system File Create Time: 2020-03-27 22:25:39:560:2469 File Modified Time: 2020-03-27 22:25:39:560:2469 MFT Entry modified Time: 2020-03-27 22:25:39:560:2469 File Last Access Time: 2020-03-27 22:25:39:560:2469 Allocated Size: 0 Real Size: 0 NameSpace: POSIX IndexFlags: 0000 SubNodeVCN:
Entry number: 6 FileName: `$UsnJrnl MFT Ref: 78263 MFT Ref SeqNo: 3 Parent MFT Ref: 11 Parent MFT Ref SeqNo: 0 Flags: hidden system sparse_file File Create Time: 2020-03-27 21:27:31:792:2895 File Modified Time: 2020-03-27 21:27:31:792:2895 MFT Entry modified Time: 2020-03-27 21:27:31:792:2895 File Last Access Time: 2020-03-27 21:27:31:792:2895 Allocated Size: 0 Real Size: 0 NameSpace: POSIX IndexFlags: 0000 SubNodeVCN:
"@ -split "`r?`n" #hardcoded raw data, you would have Get-Content here instead

$ParsedEntries = $Raw.ForEach{
    #?<MFT> names the match to avoid using index
    #[void] is to prevent the output from -match ($true in this case) entering the variable
    #$Matches is a special variable holding the results of -match
    [void]($_ -match 'FileName: (?<FileName>\S ).  MFT Ref: (?<MFT>\S )')
    [PSCustomObject]@{
        Filename =  $Matches.FileName
        MFT =  $Matches.MFT
    }
}

$ParsedEntries.Where{$_.FileName -eq '$UsnJrnl'}

CodePudding user response:

With this, I ran three consecutive commands to finish the issue. It took the input above and output the correct sequence on about half a dozen systems. So I am happy. Thank you for your assistance it definitely steered me in the right direction.

' ((Get-Content -path "${output_dir}:\Triage$UsnJrnl${system_name}\junk\Log-${system_name}-grep-file2.txt" -Raw) -replace '93-MFT','') | Set-Content -Path "${output_dir}:\Triage$UsnJrnl${system_name}\junk\Log-${system_name}-grep-file2.txt" ((Get-Content -path "${output_dir}:\Triage$UsnJrnl${system_name}\junk\Log-${system_name}-grep-file2.txt" -Raw) -replace 'Ref: ','') | Set-Content -Path "${output_dir}:\Triage$UsnJrnl${system_name}\junk\Log-${system_name}-grep-file2.txt" ((Get-Content -path "${output_dir}:\Triage$UsnJrnl${system_name}\junk\Log-${system_name}-grep-file2.txt" -Raw) -replace ' ','') | Set-Content -Path "${output_dir}:\Triage$UsnJrnl${system_name}\junk\Log-${system_name}-grep-file2.txt"

$MFTREF1 = Get-Content "${output_dir}:\Triage$UsnJrnl${system_name}\junk\Log-${system_name}-grep-file2.txt" '

Page link:https//www.codepudding.com/Blockchain/130927.html

Prev:Creating variables in PowerShell scripts using New-Variable vs using assignment operator "=&quo
Next:regex in sed to replace particular string
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding