How to use it?
josephernest opened this issue · comments
josephernest commented
I git clone
d and installed analyzeMFT, but I don't know how to test it, for example, on my D:\
. Can you give an example (for Windows) about how to analyze the MFT of an exisiting drive?
Thanks.
dkovar commented
Greetings,
You need to extract the $MFT from the file system first and then point analyzeMFT at it.
…-David
On Jun 23, 2017, at 2:27 PM, josephernest ***@***.***> wrote:
I git cloned and installed analyzeMFT, but I don't know how to test it, for example, on my D:\. Can you give an example (for Windows) about how to analyze the MFT of an exisiting drive?
Thanks.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub <#49>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AB_YUB1M1t4LEwubsfK9ryZUWcETNzwOks5sHAOagaJpZM4OD5cI>.
josephernest commented
Thanks. How to extract the MFT of my NTFS D:\
with Windows?
@AboutDFIR commented
Hello,
Check out this article (
https://whereismydata.wordpress.com/2009/06/05/forensics-what-is-the-mft/).
There are plenty of Forensics articles out there that can help guide and
teach, but my recommendation would be to research the $MFT file itself so
that you can understand what it is and what its purpose is and THEN extract
and rip it.
--
Devon Ackerman
GCFA, GCFE, CFCE, CDFC, CICP, CCE
<http://linkedin.com/devonackerman>Definitive DFIR Compendium Project
<http://www.aboutdfir.com>
Ransomware Research Project
<https://goo.gl/b9R8DE>
APT Groups & Operations
<https://goo.gl/QEayyo>
<https://goo.gl/QEayyo>[linkedin]
<https://www.linkedin.com/in/devonackerman> | [twitter]
<https://twitter.com/aei4n6>
…On Fri, Jun 23, 2017 at 2:31 PM, josephernest ***@***.***> wrote:
Thanks. How to extract the MFT of my NTFS D:\ with Windows?
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#49 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AXIP_ek7-CVKc119lXL8KkY0M8GYSO4gks5sHASKgaJpZM4OD5cI>
.
josephernest commented
Thanks @aei4n6, I read a few related articles indeed.
I can imagine there exists a ready-to-use tool on Windows that can extract/display the $MFT file?
@AboutDFIR commented
My humble recommendation would be something like AccessData's FTK Imager to
expose and scrape out the system/hidden $MFT file itself.
--
Devon Ackerman
GCFA, GCFE, CFCE, CDFC, CICP, CCE
<http://linkedin.com/devonackerman>Definitive DFIR Compendium Project
<http://www.aboutdfir.com>
Ransomware Research Project
<https://goo.gl/b9R8DE>
APT Groups & Operations
<https://goo.gl/QEayyo>
<https://goo.gl/QEayyo>[linkedin]
<https://www.linkedin.com/in/devonackerman> | [twitter]
<https://twitter.com/aboutdfir>
…On Fri, Jun 23, 2017 at 2:41 PM, josephernest ***@***.***> wrote:
Thanks @aei4n6 <https://github.com/aei4n6> I read a few related articles.
But I can imagine there exists a ready-to-use tool on Windows that can
extract/display the $MFT file?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#49 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AXIP_a4wZmwraOOBT5Ydfnu8aotkzuNSks5sHAbIgaJpZM4OD5cI>
.
Benjamin Cance commented
I am going to close this as I have included a comprehensive USAGE.md in the directory.