MDIR

PURPOSE   OPERATION   OPTIONS   COMMAND LINES   RELATED PROGRAMS


Author: Dan Mares, dmares @ maresware . com
Portions Copyright © 1998-2016 by Dan Mares and Mares and Company, LLC
Phone: 678-427-3275

top

PURPOSE

MDIR is a more useful directory listing program than DIR.

MDIR is designed to give the user the look and feel of the DIR program but with enhanced functionality for forensic work.

MDIR is designed to provide by default more information than DIR. It is designed to allow the user some flexibility in “programming” its operation and output display.

The 32 bit version can also indicate the presence of NTFS Alternate Data Streams (ADS) Which could be a significant issue when dealing with hidden data. ADSs can be researched on the web in many locations, including Microsofts home page.

When using the 16 bit version of MDIR under a DOS boot (even with WIN9X DOS boot) and you are accessing a drive greater than 8 gig, the free space amount is not properly calculated, and in most cases will not be displayed on the screen.


top

OPERATION

The program is designed to be used instead of the standard DOS DIR command.

It operates similar to the DIR command except it gives more information.

Default command line is identicle to DIR except its options take a UNIX style using the minus (-) instead of slash.

C:>mdir   c:\work\*.c    -P
C:>mdir   *.c

Some advantages over the DIR command is: (the DIR options are shown in paranthesis)

The default directory listing provides the following information for all files in the directory (hidden files are included by default): Here is a sample directory listing.

  Filesystem if NTFS
  Volume NTFS_4G
  Volume Serial No. 68B6-61DC
  Directory of C:\WORK

.                       <DIR>  12/01/1998 11:36w EST ....DE 
..                      <DIR>  12/01/1998 11:36w EST ....D. 
600MEG                  <DIR>  11/13/1998 17:12w EST ....D. 
C2_PROJS                <DIR>  11/13/1998 17:11w EST A...D. 
CLASS                   <DIR>  11/13/1998 17:11w EST A...D. 
COMMON_C                <DIR>  08/15/1998 09:51w EST ....D. 
AT_GO.BAT                 452  06/03/1997 12:44w EST A....E 
AT_SETUP.ASC              811  06/02/1997 13:53w EST A....E 
AT_SETUP.BAT              578  12/13/1994 07:45w EST AH.… 
boot.ini                  305  05/12/1997 12:52w EST A.R.. 
CONTROL                    27  10/10/1997 10:10w EST A..S. 
CRD_FILE.C             17,800  12/31/1996 08:13w EST A.... 
DATER.C                10,706  01/28/1997 06:21w EST A.... 
wide.c:part1.txt:          31  ALTERNATE  DATA   EST ADATA. 
wide.c:part2.txt:          76  ALTERNATE  DATA   EST ADATA. 

The items contained in the listing are:

1:  Filename, up to 35 characters under WIN9x and NTFS, (notice directories are indented 1 space)
2:  Filesize
3:  Date
4:  Time (in 32 bit mode the timetype [acw], and the timezone or GMT shows up.)
5:  Attributes (Archive, Hidden, Readonly, System, Directory, Encrypted NTFS)

If the file is an ADS the file time is replaced by the words ALTERNATE DATA, and the attributes are replaced by the word ADATA.

Also shown, not depicted in the sample are:

6:  Total bytes taken up by the listed files
7:  Total no. of files listed
8:  Total bytes remaining on disk
9:  Total no. of directories listed

When using combinations of the options for size, file time and file spec (*.bat etc.) the user can effectively program MDIR to provide only those files meeting very restrictive needs.

The 32 bit version of MDIR also has the capability of providing the 3 file time attributes along with long filenames and case sensitivity. It can also display file times in local, and GMT (ZULU) time.

Because MDIR does its sorting in memory, there is a limit to how many files it can process in a directory. This limit is 15,000. (If you have more than 15,000 files in a directory, you should consider doing some housekeeping).


top

OPTIONS

This program is INI capable. INI keywords in [BOLD]

All options should be preceded by a (-) minus sign. Some can be grouped together, and others where specified MUST be grouped without a space. The options are grouped where approriate.

Some options because they deal with specific 32 bit items like MDS or file times are only active in the 32 bit version running on an appropriate file system.

-p + path(s):  If more than one directory is needed to be looked at, then add the paths here as appropriate. (-p c:\windows d:\work) [PATH]=path

-f + filespec:  If more than one file type is needed, add them here. (-f *.c *.obj *.dll) [FILES]=filetype

If these options are used, the program builds a matrix of paths and file types. It searches all the requested directories for all the requested file types. Thus giving a total of all the files in all the paths requested. These options are added to any default command line provided. (C:>mdir c:\work\*.c -f *.dll -p d:\windows)

-x + filespec:  e(x)clude these file types from listing. (same format as -f option) (-x thesefiles.txt) [EXCLUDE]=filetype

-oO + filename:  Output file name. Place the output to a filename. If uppercase ‘O’ then existing output is appended to. [OUTPUT]=filename

-a:  append output to filename provided in -o option. Serves same purpose as using an upper case O. (-a) [APPEND]=[ON|OFF]

-s:  Do Not list Alternate Data Streams (ADS). (NTFS only). [STREAM]=[ON|OFF]

-g + #:  Where the # is replaced by a number indicating, list all files ‘g’reater than # days old. You can use a -gl pair to bracket file ages. [OLDER]=50

-1 + #:  Where the # is replaced by a number indicating, list all files ‘l’ess than # days old. You can use a -gl pair to bracket file ages. To get todays files, use (-l 1) [NEWER]=10

-g + #    Where the # is replaced by a number indicating: list all files ‘g’reater than # days old. You can use a -gl pair to bracket file ages. [OLDER]=50

-l + #    (ell, not one) Where the # is replaced by a number indicating: list all files ‘l’ess than # days old. You can use a -gl pair to bracket file ages. To get todays files, use (-l 1) [NEWER]=10

-g + mm-dd-yyyy[acw]
Process only those files (g)reater (older) than this mm-dd-yyyy date. The date MUST be in the form mm-dd-yyyy. It MUST have two digit month and days (leading 0 if necessary), and it MUST have a 4 digit year. The date calculation is calculated as of midnite on the date given for the -g option of mm-dd-yyyy. For this reason, the day provided is NOT included in the calculation. Ie. if you entered -g 01-01-2006 you would only process dates PRIOR to 1/1/2006. This means all of 2005 and before. See below for the [acw] meanings.

-l + mm-dd-yyyy[acw]:  (that's and ell, not a one). Process only those files (l)ess than (newer) than this mm-dd-yyyy date. The date MUST be in the form mm-dd-yyyy. It MUST have two digit month and days (leading 0 if necessary), and it MUST have a 4 digit year. The date calculation is calculated as of midnite on the date given for the -l option of mm-dd-yyyy. For this reason, the day provided IS included in the calculation. Ie. if you entered -l 01-01-2006 you would process all of 2006 to the current date.

Special note for the [acw] modifier part of the option.

If no 'acw' modifier is used, the default time used to check the age is the current write or last modification time.

You can however, alter which time is used in the age calculation. To do this, add any or all of the acw indicators. For instance, if you wanted the date checking to respond to the access date, you would add an 'a'.    ie: -l 10-10-2005a would show all files accessed on or after 10-10-2005.

If you added more letters, to the date, ie:   -g 10-10-2005cw    you would get all files with EITHER an access or a last modified date older than 10-10-2005. The added [acw] times are logically OR'd. So any date meeting the criteria will cause it to be selected for processing.

The use of all three -g 10-10-2005acw allow the program to simultaneously check and evaluate all three dates.

Caution should be exercised in using all three dates, as in most cases, almost every file may fit the criteria.

-L + #  Where the # is replaced by a number indicating, list all files less than # bytes in size. (-L 100000) [LESSTHAN]=100000

-G + #:  Where the # is replaced by a number indicating, list all files greater than # bytes in size. You can use a -GL pair to bracket file sizes. (-G 10000) (-G 10000 -L 100000) [GREATER]=10000

-P:  “DO NOT” pause after every 20 lines. (default is a pause after every screen.) [PAUSE]=ON

-d + “delimeter”:  replace “delimeter” with a delimeter (typically a pipe ‘ |’ ) within double quotes with which to delimet fields. If the delimeter is not printable, use its decimal ascii value but don’t place it it quotes. (-d “|”) [DELIMETER]=|

-w + #:  Change the default width of the filename from 35 to whatever value you wish. If you have long filenames, this may be necessary to accomodate the entire name. If a filename longer than 35 is used, the output tends to be more than one line long. (-w 50) [WIDTH]=50

-[tT][aAcCwW30]:  Show the file time as last ‘a’ccessed, last ‘w’ritten/modified, ‘c’reated, or show all ‘3’. No spaces between the -t and the modifier. ( -tc or -t3 ) Default is the ‘w’rite, which is identicle to what DIR or Explorer displays. Note: The 3 file time capability is only available under 32 bit operating systems using the 32 bit version of the program.

If the time type -t[ACW] is an upper case letter, then the seconds are added to the printout. Otherwise seconds are not included. With the -t3, seconds are ALWAYS included. [TIME]=[A|C|W|3|0], [ALLTIMES]=]ON|OFF]

If the -t option is upper case -T, then the date is displayed in YYYY/MM/DD format for easier sorting.

-z:  If using 32 bit version, display time in ‘Z’ULU GMT format. The letters GMT will be at the end of the output line indicating such. Use GMT to get relative references especially when dealing with 2 or more time zones. (-z) [ZULU]=[ON|OFF]

-m  Do Not show any file dates or times. This significantly reduces the size of the output record. (-m) [MILITARY]=[ON|OFF]

-A[ehrsmd]:  Show only files with the following attributes: e=Encrypted EFS files, h=Hidden files, r=Readonly, s=system, d=directories only, m=modified. The [hrsdm] must be right after the -A withou any spaces. The -A is case sensitive. [HIDDEN|READONLY|SYSTEM|ARCHIVE|DIR_ONLY]=[ON|OFF]

-Y[nsydm]:  Sort output on ‘n’ame (default), file ‘s’ize, file ‘y’ear, file ‘m’onth, file ‘d’ay. If month sort is chosen day is secondary sort by default. Only one sort field can be specified with certainty. Some combinations are possible, but not guaranteed. If the nysdm is upper case, then the order is reversed. [SORT]=[n|s|m|d|y[-]]


top

COMMAND LINES

mdir   -?
/* gets the help file */

mdir
/*show all files in current directory, default */

mdir   filespec.ext    filespec.ext    etc.
/*show files matching filespec name, wildcards allowed, notice more than 1 filetype at a time can be used */

The following options can be used with or without a filespec.ext and can be grouped together or not. But must follow filespec.ext if one is present

mdir   -Ah
/* show only hidden files */

mdir   -w 50
/* make filename 50 characters wide */

mdir -ta -z
/*show last access time using GMT time. Only on 32 bit versions */

mdir   *.*   -x   *.exe
/* show all files e(X)cept *.exe )


top

RELATED PROGRAMS

DISKCAT
HASH
MD5
CRCKIT

top