NTFS MFT Analysis I...
 
Notifications
Clear all

NTFS MFT Analysis Identifying Cluster run

12 Posts
4 Users
0 Likes
4,101 Views
Chris_Ed
(@chris_ed)
Posts: 314
Reputable Member
 

Well done! I think if you fiogure things out yourself then you retain it better.

Dcode is good, but personally I prefer Stampede as if you're not entirely sure of the type of timestamp it can help!

 
Posted : 01/05/2014 2:12 pm
(@mscotgrove)
Posts: 938
Prominent Member
 

The demo of my www.cnwrecovery.com software has a feature in the sector view. If you display a MFT sector and move the cursor over the hex display, it will decode most of the elements. This includes the dates which you will discover are stored in several places. It will also decode the first cluster run.

It is not 100% comprehensive, and only works on first 0x200 bytes of the $MFT entry, but may be a quick way to help you understand the $MFT

 
Posted : 01/05/2014 2:44 pm
Page 2 / 2
Share: