I'm looking for a tool to parse the $MFT file. I want to find all entries and also the according times. Sure, I've got the big tool which name starts with an E. (v6.8) and I know this tool is capable of finding all MFT entries. But, I'm looking for a tool like a perl script or something like that (I prefer open source tools -). If possible, I want to copy the file $MFT from an evidence file (with FTK Imager for example) and parse it.
Thanks !
Stamitz
Windows Forensic Analysis & DVD Toolkit - ISBN-13 978-1-59749-156-3
Perl Scripting for Windows Security - ISBN-13 978-1-59749-173-0
Pretty sure there was something on the MFT in the first book, not far enough through the second to say for sure if that is covered.
Hi Stamitz,
Runtime Software's DiskExplorer for NTFS might provide a useful view on the $MFT file but I'm not sure if you can just import it by itself, you probably need to import an entire image (there's a free trial on their site.) It's not open source, though.
BTW, thanks for the banner link on your blog, much appreciated. Have you added the blog to the links section here?
Jamie
Almost forgot about
Jamie, DiskExplorer can open a physical or logical drive or an image or virtual image or a remote physical drive.
Thanks for the advice Jamie ! I have just added a link to my techblog -)
DiskExplorer seems very complete but then again, no open source (and I already have WinHex, FTK, Encase etc.). I will have a look at Sleuthkit Informer and will mail a PM to keydet89 to ask about the power of perl.
Thanks BitHead !