[Get-ForensicFileRecord] -Deleted switch parameter

Invoke-IR / PowerForensics

PowerForensics provides an all in one platform for live disk forensic analysis

MIT License

1.38k stars 274 forks source link

[Get-ForensicFileRecord] -Deleted switch parameter #138

Open jaredcatkinson opened 8 years ago

jaredcatkinson commented 8 years ago

Add -Deleted parameter to Get-ForensicFileRecord which will only return the records of deleted files.

jaredcatkinson commented 8 years ago

This should look into parsing the $MFT file's Bitmap values. I believe they are used by the File System to determine what MFT File Records are "unallocated" and thus representing deleted files.