NTFS

In the README page of my tool, INDXRipper (Go check it out! It’s really cool), down in the “Limitations” section, I gave some warnings regarding the reliability of the tool: The tool may give false results. While false positives are rare, they are possible. Partially overwritten entries may not be found. If they are found, though, the tool may give you false information. These shortcomings apply to every $I30 parser, and in this post - I’ll explain why....

In NTFS, the MFT (Master File Table) is a structure that contains a lot of the file-system metadata, and also the contents of small files. It is stored in a special file, called $MFT. In incident response, we often collect and parse this file to determine the file system contents and how it changed over time, without having to acquire a full disk image. There are many bad MFT parsers out there....

I often test my tools on my old computer at home. It’s so much more interesting to investigate than a newly created virtual machine. Today, while testing, I found evidence of activity from almost 2 years ago. It got me really excited, and I thought it would make a cool blog post! Here’s a snippet from the timeline I created using MFTECmd and INDXRipper: A Prefetch File in $I30 Slack The Prefetch file FLOSS64....