Notifications

Clear all

A $I30 index tool

Forensic Software

Last Post by segevrl 2 years ago

5 Posts

3 Users

0 Likes

2,271 Views

RSS

segevrl

(@segevrl)

Posts: 3

New Member

Topic starter

https://github.com/harelsegev/INDXRipper

Find index entries in NTFS $I30 attributes and easily integrate the data into a timeline

This started as an experimental project, but turned out to be useful enough to share

Posted : 19/06/2021 8:11 am

Topic Tags

jaclaz

(@jaclaz)

Posts: 5133

Illustrious Member

Nice.

Another little tool that goes in the toolbox, just in case.

jaclaz

Posted : 20/06/2021 10:39 am

segevrl

(@segevrl)

Posts: 3

New Member

Topic starter

@jaclaz Ideally, it should always be used when making a file system timeline. It finds files other tools don't, and it does it fairly quickly.

Posted : 20/06/2021 8:06 pm

thefuf

(@thefuf)

Posts: 262

Reputable Member

@segevrl, what about dfir_ntfs?

Posted : 20/06/2021 10:28 pm

segevrl

(@segevrl)

Posts: 3

New Member

Topic starter

@thefuf I've never tried it. It looks great, honestly. It seems like it carves $FILE_NAME attributes from the slack space of $INDEX_ALLOCATION attributes, which is similar to what INDXRipper is doing. I guess you can use either of them for this purpose.

Posted : 21/06/2021 7:23 am

12 Forums
15.3 K Topics
91.7 K Posts
1 Online
39.4 K Members

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed