TZWorks LLC just posted a new tool for parsing 'INDX' artifacts from Windows NTFS volumes. The tool is called 'wisp' and can be downloaded at http//
'INDX' attributes are used to store the contents of a directory. Extracting directory items from the slack portion of the INDX attribute can identify evidence of a file's past presence after it has been deleted and is no longer part of the system. 'wisp' can operate on a live volume, an image of a volume or a single directory.
The tool is command line based and is geared for outputting data in a parsable CSV format. The EULA for the tool is free for personal, non-commercial use. There are binary versions that run on Windows, Linux and Mac OS-X.
Extracting directory items from the slack portion of the INDX attribute …
Oh, my 😯
Two Categories of Slack entries
just when I thought we were making progresses here
http//www.forensicfocus.com/Forums/viewtopic/t=9374/
now we have also directory slack! !
Just joking wink , very nice tool )
jaclaz