NTFS Fix-Ups

I was asked what this Fix-up thing was that I mentioned in my last post. Fix-ups are used by NTFS to keep track of sectors that are part of specific data structures within the file system. This is done for a variety of reasons: detecting corruption from a failed disk sector, from a failed write, […]

Read more "NTFS Fix-Ups"

$I30 INDX Parsing

I needed to walk a directory index for another script I was working on. I figured, as long as I was there trying to prototype that, I would just dump out the entire Index. I already have a couple of scripts that do this. One of the major things I noticed when I started working […]

Read more "$I30 INDX Parsing"

MFT Parsing

So, I was having lunch with my good friend Mike. Great guy. If you get a chance, take Mike to lunch. Anyway, we were discussing how EnCase doesn’t really give the user easy access to the MFT and there is some information in there that doesn’t get parsed by EnCase that could be useful to […]

Read more "MFT Parsing"