How to get to last NTFS MFT record?

Question

I am writing a utility to parse MFT in NTFS. So far I have written the code to get a 1024 byte MFT record and traverse its attributes. As far as I know that MFT starts allocating records to user files from record number 0x23 so I am looping from 0x23 to N number of records. I want to know that how to get to the last record of MFT? Is there some kind of an end marker? How do I know whether a certain record is last record so that I can stop looping through MFT records.

Any help would be appreciated.

Answer 1

The MFT location isn't always fixed on the volume. You should get the starting MFT offset from the boot sector (sector 0 of the volume, you can find the structure online).

The first file in the MFT is the "$MFT" file which is the file record for the entire MFT itself. You can parse the attributes of this file like any other file and get it's data run list. When you know the size of each fragment in clusters, parse the last cluster for each 1024 byte record of the last fragment (although I believe a fragmented MFT is rare). The last record in the MFT is the last record in that particular cluster marked "FILE0", if you encounter a null magic number that would be 1024 bytes too far.

Or you can just get the file size from it's attributes and calculate the offset to the end of the MFT based on how many fragments it has. Then subtract 1024 from the offset and you should be looking at the last file.

Answer 2

You can get the start and ending MFT boundaries and MFT size of table using this free Windows Sysinternals tool called NTFSInfo v1.0