MFT Analysis http://www.integriography.com/ http://windowsir.blogspot.com/2010/02/mft-analysis.html.

Slides:



Advertisements
Similar presentations
1 Authority on Demand Flexible Access Control Solution.
Advertisements

Concepts about the file system 2. The disk structure 3. Files in disk – The ext2 FS 4. The Virtual File System (c) 2013, Prof. Jordi Garcia.
V SpecialServices. Note: The following slides were taken directly from the “What’s New in ProgressBook v.14.7” PowerPoint distributed by SoftwareAnswers.
Computer Forensics: Basics Media Analysis. Agenda Common Data Hiding Techniques Windows Registry Writing files Deleting and Reformatting Recycle Bin.
Computer Forensics NTFS File System.
NTFS MFT Example COEN 152 / 252. MFT Table Entry.
File Systems Examples.
The Sleuth Kit Brian Carrier Set of tools to analyze device images.
© Microsoft Corporation1 Windows Kernel Internals NTFS David B. Probert, Ph.D. Windows Kernel Development Microsoft Corporation.
Lecture 10: The FAT, VFAT, and NTFS Filesystems 6/17/2003 CSCE 590 Summer 2003.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 7: Advanced File System Management.
1 File Management in Representative Operating Systems.
Timeline Analysis Harlan Carvey: Windows Forensic Analysis Toolkit, Chapter 7.
File System Variations and Software Caching May 19, 2000 Instructor: Gary Kimura.
Wince File systems. File system on embedded File system choice on embedded is important –File system size can be an issue –Different media are used –
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 7: Advanced File System Management.
Metadata Files Excellent reference:
Check Disk. Disk Defragmenter Using Disk Defragmenter Effectively Run Disk Defragmenter when the computer will receive the least usage. Educate users.
1 Using Compressed Files and Folders Applications and operating systems read and write to compressed files. NTFS uncompresses the file before making it.
2 $ command Command Line Options ls –a –l hello hi Command Arguments.
Forensic analysis of Windows hosts using UNIX-based tools Source : Digital Investigation (2004) 1, Writer : Cory Altheide Reporter : Yao Professor.
New Technologies File System
MCTS Guide to Configuring Microsoft Windows Server 2008 Active Directory Chapter 6: Windows File and Print Services.
Mastering Windows Network Forensics and Investigation Chapter 7: Windows File Systems.
®® Microsoft Windows 7 for Power Users Tutorial 5 Comparing Windows 7 File Systems.
Matthew Seyer G-C Partners, LLC.  Records File System Metadata Changes  Optionally Can Retain More Depending on File System Options  Allows File System.
Tutorial 14 Working with Forms and Regular Expressions.
Mastering Windows Network Forensics and Investigation Chapter 12: Windows Event Logs.
Lecture 9: The FAT and VFAT Filesystems 6/16/2003 CSCE 590 Summer 2003.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 7: Advanced File System Management.
 Pearson Education, Inc. All rights reserved Formatted Output.
Gorman, Stubbs, & CEP Inc. 1 Introduction to Operating Systems Lesson 14 Novell Netware 6.0.
Mastering Windows Network Forensics and Investigation Chapter 7: Windows File Systems.
Session Objectives • Login to PeopleSoft Test Framework(PTF)
Timeline Analysis Geoff Black, EnCE, SnortCP Senior Forensic Consultant Professional Services Division Guidance Software, Inc.
NTFS Structure Excellent reference:
Data Structure & File Systems Hun Myoung Park, Ph.D., Public Management and Policy Analysis Program Graduate School of International Relations International.
USING XML AS A DATA SOURCE. Data binding is a process by which information in a data source is stored as an object in computer memory. In this presentation,
Liang, Introduction to Java Programming, Eighth Edition, (c) 2011 Pearson Education, Inc. All rights reserved Introduction to Android (Part.
Lecture 11: The FAT, VFAT, and NTFS Filesystems 6/19/2003 CSCE 590 Summer 2003.
Unit OS8: File System 8.6. Lab Manual. 2 Copyright Notice © David A. Solomon and Mark Russinovich These materials are part of the Windows Operating.
1/11 ITApplications XML Module Session 3: Document Type Definition (DTD) Part 1.
MCSE Guide to Microsoft Windows Vista Professional Chapter 5 Managing File Systems.
Lecture 18 Windows – NT File System (NTFS)
NTFS 5.0 By Jeffrey Richter and Luis Felipe Cabrera From the Microsoft Systems Journal Presented by Stylianos Paparizos.
© Janice Regan, CMPT 300, May CMPT 300 Introduction to Operating Systems File systems.
NTFS Filing System CHAPTER 9. New Technology File System (NTFS) Started with Window NT in 1993, Windows XP, 2000, Server 2003, 2008, and Window 7 also.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #8 File Systems September 22, 2008.
Overview Using Plugins Developing Plugins Basic Examples / Demo Outlook Overview Using Plugins Developing Plugins Basic Examples / Demo Outlook Plugin.
Copyright © – Curt Hill File Systems How are a few organized.
Flag Quiz Game App Android How to Program © by Pearson Education, Inc. All Rights Reserved.
BACS 371 Computer Forensics
CHAPTER 9 File Storage Shared Preferences SQLite.
SNORT! Among other things. Description Open source ids/ips Real-time analysis: alerting, blocking, logging Real-time response: alerting, session sniping,
Solvency II Tripartite template V2 and V3 Presentation of the conversion tools proposed by FundsXML France.
Day 28 File System.
28 Formatted Output.
UMBC CMSC 421 Spring 2017 The FAT Filesystem.
Computer Forensics NTFS File System.
(optional - but then again, all of these are optional)
(optional - but then again, all of these are optional)‏
FAT32 Directory Entries and Operations Guide
A Real-time Intrusion Detection System for UNIX
Validation of Ebola LOD
NTFS.
Computer Forensics NTFS File System.
I dragged over the label tool (A icon) and put it on the form.
Grauer and Barber Series Microsoft Access Chapter Two
FAT File System.
Introduction to Operating Systems
Presentation transcript:

MFT Analysis http://www.integriography.com/ http://windowsir.blogspot.com/2010/02/mft-analysis.html

analyzeMFT Written by David Kovar, CCE Python tool to parse $MFT Parses the attributes of each file in an NTFS file system Output is really gross CSV format At least 50 entries for each file All text Used by other applications

Output FIelds Record Number Good - if the entry is valid Active - if the entry is active Record type - the type of record Record Sequence - the sequence number for the record Parent Folder Record Number Parent Folder Sequence Number For the standard information attribute: Creation date Modification date Access date Entry date

Output Fields, cont. For up to four file name records: File name Creation date Modification date Access date Entry date Object ID Birth Volume ID Birth Object ID Birth Domain ID

Output Fields, cont. And flags to show if each of the following attributes is present: Standard Information, Attribute List, Filename, Object ID, Volume Name, Volume Info, Data, Index Root, Index Allocation, Bitmap, Reparse Point, EA Information, EA, Property Set, Logged Utility Stream Notes/Log - Field used to log any significant events or observations relating to this record std-fn-shift - Populated if anomaly detection is turned on. Y/N. Y indicates that the FN create date is later than the STD create date. usec-zero - Populated if anomaly detection is turned on. Y/N. Y indicates that the STD create date's microsecond value is zero.

I told you so! 110575","Good","Inactive","0","5422 - 5426","3","TRANSFERMGR.EXE-24D2A23F.pf","2009/12/27 18:35:57.625000","2009/12/28 05:32:01.390625","2009/12/27 18:35:57.625000","2009/12/28 05:32:01.390625","2009/12/27 18:35:57.625000","2009/12/27 18:35:57.625000","2009/12/27 18:35:57.625000","2009/12/27 18:35:57.625000","","","","","TRANSFERMGR.EXE-24D2A23F.pf","2009/12/27 18:35:57.625000","2009/12/27 18:35:57.625000","2009/12/27 18:35:57.625000","2009/12/27 18:35:57.625000","","","","","","","","","","","True","False","False","False","False","False","True","False","False","False","False","False","False","False","False"

Usage Usage: analyzeMFT.py [options] Options: -h, --help show this help message and exit -f FILE, --file=FILE Read MFT from FILE -o FILE, --output=FILE Write results to FILE -a, --anomaly Turn on anomaly detection -b FILE, --bodyfile=FILE Write MAC information to bodyfile -g, --gui Use GUI for file selection -d, --debug Turn on debugging output

Extract the MFT ntfscopy by Jonathan Tomczak analyzeMFT by David Kovar http:/tzworks.net >ntfscopy \$MFT ntfs.mft –image ntfs.001 –offset 0x400000 analyzeMFT by David Kovar Integriography.com >python c:\bin\analyzeMFT.py –f ntfs.mft –o mft.txt

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.