Fix issues with deleted files

Question

Fix issues with deleted files

dkovar opened this issue 7 years ago · comments

See this blog:

http://az4n6.blogspot.com/2015/09/whos-your-master-mft-parsers-reviewed.html

dkovar · Answer 1 · Thu Apr 27 2017 19:02:05 GMT+0800 (China Standard Time)

"Great post Mari. It made me check my tools again. I believe most of these tools are determining the file size from the $FILENAME attribute. In some situations there is a value there but most of the time it's 0. In my experience the best place to find the file size is from the Attribute header. Table 13.3 and 13.4 in Brian Carrier's File System and Forensic Analysis provide this information."

dkovar · Answer 2 · Thu Apr 27 2017 19:05:50 GMT+0800 (China Standard Time)

"I also ran AnalyzeMFT with the default output, a csv file. In this output, the file did have a flag designating it as deleted, however, the bodyfile format does not. "

dkovar · Answer 3 · Thu Apr 27 2017 19:06:53 GMT+0800 (China Standard Time)

Read the whole blog article and ensure that all reported issues are fixed. One issue appears to be with bodyfiles, the other appears to be with where I get file sizes from.