Closed jamdunnDFW closed 5 years ago
EricZimmerman
commented
5 years ago Can you dump a single file record with the behavior and send me that? There is a switch for it in the program.
I don't know how it would be just a single os unless it behaves differently from everything else
What else have you verifies this with? Do you have xways?
Also what version of mftecmd?
EricZimmerman
commented
5 years ago i really need an example of:
1) what you are seeing 2) what you think it should be
ideally you can find a file record and dump it so i can parse the entire structure out here to see what is up
EricZimmerman
commented
5 years ago if you are seeing this within the first, say 50 FILE records, just cut that part off the MFT and send it.
i just dumped an MFT from the same OS but without specifics its hard to replicate what you are seeing. things look ok in this file when i spot checked things
EricZimmerman
commented
5 years ago closing this until more details are supplied due to OP inactivity. happy to look at this, but i need specifics
mftecmd is reporting incorrect $FN timestamps (they match the $std_info timestamps instead of reporting accurately) on an MFT file pulled from Windows Server 2008 R2 Server Standard Service Pack 1, 64-bit.
Can't provide the full MFT, but happy to provide additional data if helpful. Just let me know what you need.