±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36303
New Yesterday: 1 Visitors: 204

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

EnCase: find MFT entry for a file

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

fraudit
Senior Member
 

EnCase: find MFT entry for a file

Post Posted: Aug 30, 19 16:39

I'm not experienced EnCase user, hence the question: does EnCase has a function that allows me to jump to the MFT entry of the selected file?

I have several files apprarently wiped with CCleaner (overwritten with zeros) and I'm wondering if any file information is left in the MFT entry (assuming the CCleaner's option to wipe MFT as well was not enbled).

OSForensics has such a feature, well almost :). It displays the MFT data for a selected file in a preview window. Is there a way to achieve this in EnCase? I know I'm getting a lot of file data in the evidence browser, but...  
 
  

hommy0
Senior Member
 

Re: EnCase: find MFT entry for a file

Post Posted: Aug 30, 19 17:27

Hi,

EnCase does not have a direct way to jump directly to a MFT record of a given entry. It will display much of that data across various parts of the lower pane and the table view.

However the following enscript plugin provides functionality that allows for bookmarking the MFT record of a highlighted entry via the contextual menu.
It was written by Simon Key from EnCase.

Basically right-click on your files of interest to access the plugin’s functionality.

The bookmarks are accessible via the View menu and bookmarks.

The MFT record will then be in its own bookmark folder, with the file itself and each of the MFT record attribute identifiers bookmarked.

Also if you find a MFT record let’s say in the unallocated clusters, you can highlight the 1st byte of the record and it will bookmark each of the attribute identifiers for the record.

It can also decode and bookmark the data-runs from the Data Attribute (if they are highlighted within the attribute)

EnCase MFT Record Bookmark Plugin  
 
  

fraudit
Senior Member
 

Re: EnCase: find MFT entry for a file

Post Posted: Sep 02, 19 09:35

Oh, amazing, thank you so much or your help hommy0! I will install and test it immediately!  
 
  

pbobby
Senior Member
 

Re: EnCase: find MFT entry for a file

Post Posted: Sep 03, 19 13:36

Take the file identifier of the file you are interested in, multiply by 1024. Highlight $MFT, ctrl-G and paste in the value. THat will jump to the offset in the $MFT for the mft record.
_________________
Don't get baited. 
 

Page 1 of 1