At the moment I focus on MFT records (I have exams in three weeks). I wonder if it's possible to find the starting cluster of a file in $MFT. When I look at the $MFT file with Encase, I see the header (FILE0) followed by a lot of strange characters, the name of the specific file and then a lot of strange characters again. Is it possible to find the starting cluster of the specific file via the MFT record ?
MFT records are complex. First there is the header (56 bytes for XP or 2003, 48 bytes for NT or 2000) followed by a bunch of attributes. You'll be looking for the 0X80 attribute and read the data runs to find the starting cluster of non-resident data. For more information on $MFT records and data runs I would refer you to File System Forensic Analysis by Brian Carrier
Nicely said, flamerescue150…..sounds like you've been well trained……