randomaccess3
commented
2 years ago Alternatively it may be beneficial for Velociraptor to run an MFT parser periodically and allow artifacts to reference a moderally up-to-date table of data. This may impact performance if it has to be kept up to date - but if you would run the same artifact before parsing PF/$I/LNK files you would get a more complete picture
During an evaluation of the Recyclebin artifact it was identified that this could be improved by incorporation an option to use the MFT parser to first identify $I files.
When a file is deleted from the Recycle Bin the $I and $R files are marked as deleted but will remain till they are overwritten. The $I files are generally very small and therefore may reside for a long time. During testing it was identified that the Windows.NTFS.MFT artifact could still see the deleted $I files and they were marked as no longer in use.
Suggestion for improvement would be to allow the examiner to choose whether they want to use the API (quick, but only parses allocated $I files) or MFT parser (much slower, but will parse all in use/not in use files).
The returned results using the MFT parser should be a more complete picture than would be available through the API. It will be slower, and error correction will be required in case the $I file references overwritten clusters.