Notifications

Clear all

$MFT help trying to deconstruct.

xaberx · 2008-12-13T02:27:17Z

I am currently working on deconstructing the $MFT from a imaged drive, I am currently using Brian Carriers File System Forensic Analysis(Ch 11-12) to try and read the MFT at the byte level I have found how to pull the file name and recognize it as it maintains an offset each time but is there a mark I can look for that indicates if the file was deleted and where the file data is actually stored? The book is very helpful in getting me started just I was wondering if anyone had expierence with working on Image file $MFT at the byte level for NTFS. Thanks I am also running into difficulty pulling last Access datescreationmodifaction dates aswell I think I found the block of hex that controls it but to decrypt it will be a pain.Thanks any Help is appreciatedDoes anyone know of a white paper besides the book mentioned above for $MFT?Ryan ManleyXabersoft

Page 2 / 2 Prev

General (Technical, Procedural, Software, Hardware etc.)

Last Post by sfxw 17 years ago

18 Posts

11 Users

0 Reactions

1,522 Views

RSS

BCOPD4740

(@bcopd4740)

Active Member

Joined: 17 years ago

Posts: 14

19/12/2008 1:27 am

Do you have EnCase Version 6?

I have a script that will completely decode each MFT record.

Email me and I will forward you a copy.

ReplyQuote

farmerdude

(@farmerdude)

Estimable Member

Joined: 20 years ago

Posts: 242

19/12/2008 6:25 pm

Ryan,

Have you looked into Grok-NTFS by ASR DATA?

http//www.asrdata.com/Grok-NTFS/

It may provide you with the access and information you're seeking.

Cheers!

farmerdude

www.forensicbootcd.com

www.onlineforensictraining.com

ReplyQuote

BitHead

(@bithead)

Noble Member

Joined: 20 years ago

Posts: 1206

20/12/2008 4:38 am

Ryan,

Have you looked into Grok-NTFS by ASR DATA?

The link for the download looks like "a polar bear in a snowstorm." Also there is no purchase option. Is it still an active program?

ReplyQuote

MMachor

(@mmachor)

Trusted Member

Joined: 17 years ago

Posts: 70

20/12/2008 12:11 pm

Will this work with WinHex Specialist Edition? If so how do I do this? Also, as noted by BitHead, does anyone know where there is a valid download of Grok-NTFS?

ReplyQuote

MMachor

(@mmachor)

Trusted Member

Joined: 17 years ago

Posts: 70

20/12/2008 12:12 pm

BCOPD4740 - Do you know if that script would work in EnCase 4.2?

ReplyQuote

xaberx

(@xaberx)

Estimable Member

Joined: 17 years ago

Posts: 105

Topic starter 29/12/2008 4:43 am

I cannot downlod the one from ASR data I may have to look elseware online for the link, thusfar I still cannot get the time and state stamps out (its bieng difficult or I am not pulling the right bytes). I am using WinHex currenty thanks for the help sofar I am still working on it though my job is taking alot of my time at the moment due to hoildays.

Thanks
Ryan

ReplyQuote

_nik_

(@_nik_)

Trusted Member

Joined: 19 years ago

Posts: 93

29/12/2008 11:15 pm

BCOPD4740 - Do you know if that script would work in EnCase 4.2?

I think Technical Services at Guidance Software has one. you should contact them.

ReplyQuote

sfxw

(@sfxw)

Active Member

Joined: 17 years ago

Posts: 14

08/01/2009 3:54 am

To clarify The MFT auto-coloring feature is available in X-Ways Forensics as well as WinHex with a specialist or forensic license.

Stefan

ReplyQuote

Page 2 / 2 Prev

8 Forums
15.7 K Topics
92.3 K Posts
191 Online
41.1 K Members

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed