Here is one I bet will be a chore in this mostly security forum to drudge up. I combed Github thoroughly and came up with only 2 of them. One is from a developer where it's rather new yet still in development stages but seems to work really well on my system. Will keep watch as it goes forward. The other is Eric Zimmerman's tool named exactly as this topic title. The only problem with it is that the older version which claims to support Dot Net4 just sits and spins running up almost a Gb of intensive memory loading. I did out of curiosity downloaded and run the Dot Net6 version which in fact, and oddly enough after a time began to populate the heading but also grew weary of the extended wait period. Zimmerman's tool is heavy and exhibits memory leak/taxing a system where the other forementioned gentleman's project loads $MFT nearly instantly. It is however an incomplete work in progress yet works efficiently enough so far. And so you know, the $MFT has been extracted beforehand so it's not like it's trying to read a "live system" but a copied image. Now for those that don't know, currently i'm on old 8.1 Windows regarding this right now, and on further investigation discovered that if you download Dot Net6 on Windows 8 and something goes wrong, ANYTHING, there IS NO WAY TO UNINSTALL IT. Windows 7 doesn't share that issue according to Microsoft but once it's installed in Windows 8.1 it's there to stay whether your rig chokes out or not because of it. How convenient of them. So i'm asking the forum members if anyone knows of a reliable $MFT Graphical Viewer (not command line version) even if in early stages or experimental in open source or freeware. Most of what is found is lame ole python scripts or in old fashioned DOS command line options for viewing. It's like their stuck back in the dark ages or something. So aside from those forensic commercial types only 1 has a nice clean readable usable GUI in GitHub.
and this mean exact what? which dotnet6? runtime, sdk? https://dotnet.microsoft.com/en-us/download/dotnet/6.0 Windows 10 is currently on 4.8 here HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP why do i missed v5? for your issue - those are real problems when users do not create emergency images. is it known why installation failed on your machine? common issue or special?
Apparently that rambling is not answering or addressing the core of the topic a diddly thing @Brummelchen There is a $MFT Graphical Viewer that uses a GUI somewhere. Of course those big commercial johns like XWays and OSForensics prove that. EnCase of course, that one is been around ages. I was simply in a little expectation that a reliable user program of similar nature might be around and someone could suggest it a try. Never mind about Dot Net- irrelevant at this point-but am stating a fact unknown until running across a Microsoft agent in the know-relayed in a few websites regarding Windows.
what you consider as bubbeling is my personal view to the things. i read about zimmermann's tool and the long list of warnings and risks. i header about Encase, i do not know passmarks, but i know X-Ways, but thats ages ago. dotnet 6 is a another case, you needed it for zimmermann. anyhow the need for backups has not ended. each heavy changes should have its backup. and in special for dotnet. what i found that far (do did not mention your research) http://www.cihexviewer.com/de/htd_analysis.php
Not too shabby @Brummelchen - A fairly comprehensive hex editor at that- Yeah Zimmerman's one I may try on Windows 10 but i'm not chancing installing Dot Net6 just for ONE program off Github such as it is. Besides on further tests even the Dot Net4 version of his craft is a memory intensive bog in the mud making. Hey BUT check out this other and first one found. So far it performs expertly and loads immediately and correctly. It only exhibits a few jumps here and there but hey, the program is sticking it's feelers inside the $MFT. No bug just a work that needs some more attention. https://github.com/kacos2000/MFT_Record_Viewer
It's really clean coded unlike Zimmerman's wares/apps many of which that overweigh system memory intensively and can grind it to a halt if you don't constantly flush it while it's running. Almost script kitty stuff. Eventually a user has to terminate it from a good Task Manager alternative like for one example Process Hacker. He should consider using nirsoft's assembly language to code or dump Dot Net which you can be sure won't be considered. By contrast, MFT_Record_Viewer is really nicely put together as a single standalone project.
