±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35745
New Yesterday: 2 Visitors: 107

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Extracting all NTFS attributes

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

joakims
Senior Member
 

Extracting all NTFS attributes

Post Posted: May 25, 13 13:41

New tool:
code.google.com/p/mft2...Attributes

I have missed an option to easily be able to extract all NTFS attributes for a given file, not just the $DATA attribute. In one of the great posts by Corey; journeyintoir.blogspot...-ntfs.html he explains how to extract the $EA and $EA_INFORMATION attributes by using commandline tools in the Sluthkit. However the commands are not that easy unless you are familiar with it.

Now there's an easy way of extracting all of them in one go.

The output files follow a specific naming convention to reflect what is extracted. It's described in the documentation.

Current features:
Images (partition and disk types)
Disk images can be of either MBR or GPT style.
Direct access into Volume Shadow Copies.
Direct access to PhysicalDrive and into un-mounted volumes.
Mounted volumes.
Browsing to target file on mounted volumes.
Specify MFT reference number in all other modes than the "Browse" option.
Resident and non-resident
Compressed and fragmented attributes.
Attribute lists.

Try it out on MFT reference 5 or 9 for instance. They both have several attributes you normally can't extract in an easy way.
_________________
Joakim Schicht

github.com/jschicht 
 

Page 1 of 1