I apologize if this has been addressed before but I was unable to find anything from search. I am trying to analyze the $MFT file to help in malware and intrusion detection. The environment that I have been collecting the $MFT from utilizes EFS. I have been having issues trying to get the analysis to work with log2timeline and analyzeMFT.
When running log2timeline with -v -v it appears that everything is working fine but after some time it just outputs "Killed" to STDOUT. The output file does show approx 30 entries but I was expecting many many more than that. I don't think that the $MFT is corrupted because if I run strings against it I can pull out individual file names. Note also that I have been collecting the $MFT from live machines using HMFT. Any assistance would be appreciated.
Here is the log2timeline command that I am running
log2timeline -f mft -w test1 /root/MFT/test.dat -v -v -log errors