Jaclaz,
Thanks. If the system is XP, then that should work fine.
The parent sequence number I referred to is located in the $FILE_NAME attribute.
> Also it was a USB device attached to the computer so finding trace of that in the MFT is likely.
Hhhhmmm…maybe I'm not reading "so finding trace of that.." the way you intended, but determining USB devices connected to a system is usually done via Registry analysis.
Thanks. If the system is XP, then that should work fine.
Here I am not following you. 😯
Care to explain? ?
AFAIK the $MFT record number is present in XP and later incarnations of NTFS, i.e. NTFS 3.1+ (and missing in earlier ones, such as NT 4 and 2K, aka NTFS 3.0- ), I found improbable that the test was conducted on such old systems.
jaclaz
Here I am not following you. 😯
Care to explain? ?
AFAIK the $MFT record number is present in XP and later incarnations of NTFS, i.e. NTFS 3.1+ (and missing in earlier ones, such as NT 4 and 2K, aka NTFS 3.0- ), I found improbable that the test was conducted on such old systems.
jaclaz
The site you linked to said "XP", not "XP and above". My primary reference for parsing the MFT has been Brian Carrier's book, "File System Forensic Analysis", and I didn't find any reference to that value. I will go back to my MFT parser and check for it, though.
A friend of mine contacted me in Jan of this year…he was analyzing a Windows NT 4.0 SP6 system. He'd received it in Nov, 2011. I've known folks to receive Windows 2000 systems for analysis as recently as May of 2012. As the OP has yet to state which version of Windows he's working with, I would suggest that it's important to specify.
In some cases XP will write old NT style records. I don't know the cause for this, but believe it relates to SP 1 or 2.
My mft2csv was just updated to reflect this.
In some cases XP will write old NT style records. I don't know the cause for this, but believe it relates to SP 1 or 2.
My mft2csv was just updated to reflect this.
This probably has to do with the NTFS version of the volume, not sure which exact build nrs or service packs, but NTFS known versions
1.0 Introduced in Windows NT 3.1
1.1 Introduced in Windows NT 3.5
1.2 Introduced in Windows NT 3.51
3.0 Introduced in Windows 2000
3.1 Introduced in Windows XP
I assume with old you refer to NTFS 3.0 records.
The site you linked to said "XP", not "XP and above". My primary reference for parsing the MFT has been Brian Carrier's book, "File System Forensic Analysis", and I didn't find any reference to that value. I will go back to my MFT parser and check for it, though.
Sure, that is because it was "news" when NTFS 3.1 came out, i.e. previous versions didn't use that field, but all later OS versions do.
A friend of mine contacted me in Jan of this year…he was analyzing a Windows NT 4.0 SP6 system. He'd received it in Nov, 2011. I've known folks to receive Windows 2000 systems for analysis as recently as May of 2012. As the OP has yet to state which version of Windows he's working with, I would suggest that it's important to specify.
Yes, it is always important to specify, the "standard litany" should ALWAYS be provided
http//homepage.ntlworld.com./jonathan.deboynepollard/FGA/problem-report-standard-litany.html
JFYI, on september I will celebrate ten years of life of a small NT 4.00 Workstation system booted for the first time on 13/09/2002 😯 and working uninterruptedly 24/7 since then (only powered down for replacement of PSU's (two so far) and hard disks (again two, one because of failure and one because of an upgrade to a larger one), and I do "mantain" a couple of 2K servers, as well going strong since 2002 or 2003 (but this is more "normal" as unlike the previously mentioned system that runs on "consumer" hardware, these latter two are on "server level" hardware, though I had to change a couple disks on them too for failures).
But the OP was talking of some homework and I find it unprobable (though of course possible) that they teach "old OS" at school or UNI.
Just for the record, the "real" issue was, many, many years ago, the stupid silent NTFS upgrade the Windows 2000 "120 day trial" performed, some reference
http//
and later dual-boot systems, even with the NT 4.00 SP3 applied had issues with CHKDSK.
Only thanks to Mark Russinovich
http//
we were able to run chkdsk from NT 4 on dual boot systems.
please note how at the time the "wrong" versioning number for NTFS filesystem was used, the "right" one is the one joachimm just posted, but often three versions were refeered to with the OS number
v1.2 with NT 3.51 (mid-1995) and NT 4 (mid-1996) (occasionally referred to as "NTFS 4.0", because file system driver version is 4.0)
v3.0 from Windows 2000 ("NTFS V5.0" or "NTFS5")
v3.1 from Windows XP (autumn 2001; "NTFS V5.1")
jaclaz