Notifications

Clear all

FTK v3 question

General (Technical, Procedural, Software, Hardware etc.)

Last Post by binarybod 14 years ago

3 Posts

3 Users

0 Reactions

553 Views

RSS

Anonymous 15228

(@Anonymous 15228)

Guest

Joined: 15 years ago

Posts: 75

Topic starter 13/07/2011 10:42 pm

I'm wondering if something is possible in FTK 3.

Let's say I have an image of a drive, and I'm looking at the entire image in the hex viewer. I've identified an area of the disk as corrupt. Is there a way for me to identify what file the corrupt section is part of?

Quote

Patrick4n6

(@patrick4n6)

Honorable Member

Joined: 16 years ago

Posts: 650

13/07/2011 11:38 pm

Parse the MFT. If you're lucky, it's going to be the first cluster of a file. If you're unlucky, it's going to be in a data run which means you'll have to map the whole thing.

ReplyQuote

binarybod

(@binarybod)

Reputable Member

Joined: 18 years ago

Posts: 272

14/07/2011 1:13 pm

I would use the sleuthkit and/or autopsy for this; identifying a file from a given cluster is trivial using 'ifind'. FTK has its strengths but I'm not sure it is well suited to this particular task.

Paul

ReplyQuote

Podcast: Well-Being In Digital Forensics And Policing: Insights From Hannah Bailey

Hannah Bailey shares her journey from frontline policin...

By Zoe , 2 days ago
RE: Android Forensics

Hi, Try decompressing the file using zlib in python. ...

By Dexter4n6 , 3 days ago
Interview: Neal Ysart, Co-Founder, The Coalition of Cyber Investigators

Neal Ysart shares how The Coalition of Cyber Investigat...

By Zoe , 3 days ago

8 Forums
15.7 K Topics
92.3 K Posts
11 Online
41.1 K Members

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed