Join Us!

EnCase: find MFT en...
 
Notifications
Clear all

EnCase: find MFT entry for a file  

  RSS
fraudit
(@fraudit)
Member

I'm not experienced EnCase user, hence the question does EnCase has a function that allows me to jump to the MFT entry of the selected file?

I have several files apprarently wiped with CCleaner (overwritten with zeros) and I'm wondering if any file information is left in the MFT entry (assuming the CCleaner's option to wipe MFT as well was not enbled).

OSForensics has such a feature, well almost ). It displays the MFT data for a selected file in a preview window. Is there a way to achieve this in EnCase? I know I'm getting a lot of file data in the evidence browser, but…

Quote
Posted : 30/08/2019 5:39 pm
hommy0
(@hommy0)
Member

Hi,

EnCase does not have a direct way to jump directly to a MFT record of a given entry. It will display much of that data across various parts of the lower pane and the table view.

However the following enscript plugin provides functionality that allows for bookmarking the MFT record of a highlighted entry via the contextual menu.
It was written by Simon Key from EnCase.

Basically right-click on your files of interest to access the plugin’s functionality.

The bookmarks are accessible via the View menu and bookmarks.

The MFT record will then be in its own bookmark folder, with the file itself and each of the MFT record attribute identifiers bookmarked.

Also if you find a MFT record let’s say in the unallocated clusters, you can highlight the 1st byte of the record and it will bookmark each of the attribute identifiers for the record.

It can also decode and bookmark the data-runs from the Data Attribute (if they are highlighted within the attribute)

EnCase MFT Record Bookmark Plugin

ReplyQuote
Posted : 30/08/2019 6:27 pm
fraudit
(@fraudit)
Member

Oh, amazing, thank you so much or your help hommy0! I will install and test it immediately!

ReplyQuote
Posted : 02/09/2019 10:35 am
pbobby
(@pbobby)
Active Member

Take the file identifier of the file you are interested in, multiply by 1024. Highlight $MFT, ctrl-G and paste in the value. THat will jump to the offset in the $MFT for the mft record.

ReplyQuote
Posted : 03/09/2019 2:36 pm
Share: