Safe Penetration Testing Labs · intermediate · ~15 min

Pull the filename out of a mock MFT record

Read a filename out of a simplified, mock NTFS MFT record.

Overview

memcmp the magic, read two u16s, bounds-check off + len <= n, bounded memcpy.

Why it matters

Mock records let you practise the bounds discipline you'll need for the real format.

Lesson

Why this matters

NTFS metadata lives in the Master File Table (MFT). Real MFT records are dense: they have attribute lists, fixup arrays, runlists. Reading a real record means understanding all of that.

For this exercise, we read a simplified mock record so we can focus on the bounds-checking pattern, not the entire NTFS spec.

What the mock record looks like

offset  size  field
0       4     signature "FILE"  (literal)
4       2     name_offset       (u16 LE — where the filename starts)
6       2     name_length       (u16 LE — number of ASCII bytes)
8       ...   (other mock fields, ignored)

The filename is plain ASCII (in real NTFS it's UTF-16LE; we're simplifying).

Your job

Implement int read_mft_name(const uint8_t *rec, size_t n, char *out, size_t cap). Validate the signature, read name_offset and name_length, bounds- check, copy the name, NUL-terminate, and return the bytes written.

Return -1 if:

Any pointer is NULL or cap == 0
n < 8 (header too small)
Signature is not exactly 'F','I','L','E'
name_offset + name_length > n
Name would overflow cap

Common mistakes

Reading the signature with strncmp on a non-NUL-terminated buffer. Use memcmp.
Adding name_offset + name_length and overflowing a uint16_t.
Forgetting to NUL-terminate.

What this is NOT

A real NTFS parser. Use The Sleuth Kit for actual case work.
A recovery tool. This module only reads — no writes.

Summary

Magic, two u16s, one bounds check, one copy.

Practice with these exercises

Read a filename from a mock MFT record