Forums
Main Category
General (Technical,...
A $I30 index tool
 
Notifications
Clear all

A $I30 index tool

 
General (Technical, Procedural, Software, Hardware etc.)
Last Post by segevrl 4 years ago
5 Posts
3 Users
0 Reactions
3,061 Views
RSS
 segevrl
(@segevrl)
New Member
Joined: 4 years ago
Posts: 3
Topic starter 19/06/2021 7:11 am  

https://github.com/harelsegev/INDXRipper

Find index entries in NTFS $I30 attributes and easily integrate the data into a timeline

This started as an experimental project, but turned out to be useful enough to share


   
Quote
Topic Tags
$I30 ntfs recover recovery
jaclaz
 jaclaz
(@jaclaz)
Illustrious Member
Joined: 17 years ago
Posts: 5133
20/06/2021 9:39 am  

Nice.

Another little tool that goes in the toolbox, just in case. 

jaclaz


   
ReplyQuote
 segevrl
(@segevrl)
New Member
Joined: 4 years ago
Posts: 3
Topic starter 20/06/2021 7:06 pm  

@jaclaz Ideally, it should always be used when making a file system timeline. It finds files other tools don't, and it does it fairly quickly.


   
ReplyQuote
 thefuf
(@thefuf)
Reputable Member
Joined: 17 years ago
Posts: 262
20/06/2021 9:28 pm  

@segevrl, what about dfir_ntfs?


   
ReplyQuote
 segevrl
(@segevrl)
New Member
Joined: 4 years ago
Posts: 3
Topic starter 21/06/2021 6:23 am  

@thefuf I've never tried it. It looks great, honestly. It seems like it carves $FILE_NAME attributes from the slack space of $INDEX_ALLOCATION attributes, which is similar to what INDXRipper is doing. I guess you can use either of them for this purpose.


   
ReplyQuote
Forum Jump:
  Previous Topic
Next Topic  
Related Topics
Topic Tags:  $I30 (1) , ntfs (8) , recover (4) , recovery (6) ,
Share: