$I30

In the README page of my tool, INDXRipper (Go check it out! It’s really cool), down in the “Limitations” section, I gave some warnings regarding the reliability of the tool: The tool may give false results. While false positives are rare, they are possible. Partially overwritten entries may not be found. If they are found, though, the tool may give you false information. These shortcomings apply to every $I30 parser, and in this post - I’ll explain why....

I often test my tools on my old computer at home. It’s so much more interesting to investigate than a newly created virtual machine. Today, while testing, I found evidence of activity from almost 2 years ago. It got me really excited, and I thought it would make a cool blog post! Here’s a snippet from the timeline I created using MFTECmd and INDXRipper: A Prefetch File in $I30 Slack The Prefetch file FLOSS64....