MFT Parsing

So, I was having lunch with my good friend Mike. Great guy. If you get a chance, take Mike to lunch. Anyway, we were discussing how EnCase doesn’t really give the user easy access to the MFT and there is some information in there that doesn’t get parsed by EnCase that could be useful to an examiner. So, on a bet, I built an EnScript to parse out the MFT record for all selected (blue checked) files. Mike had to pay for lunch and you get an EnScript.

Currently it just dumps info to the console. Next version will output to a series of sweeping bookmarks.

Download here

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s