dkovar
commented
10 years ago Greetings,
I'd been meaning to check to see what it did with ADS files. Now I know. Ooops. Could you send me the MFT? I'll get it fixed.
Thank you.
-David
Closed SirGerbs closed 9 years ago
dkovar
commented
10 years ago Greetings,
I'd been meaning to check to see what it did with ADS files. Now I know. Ooops. Could you send me the MFT? I'll get it fixed.
Thank you.
-David
dkovar
commented
10 years ago Greetings,
I created my own $MFT with an ADS file. I'll dig into this.
-David
dkovar
commented
9 years ago Greetings,
This should be fixed now.
-David
Hello,
I was using analyzeMFT to parse out an MFT file. If I open the MFT in a hex editor I was able to see that the file '\system32_challenge\calc.exe' definitely has an ADS named 'hidden.txt'. However, analyzeMFT did not report on this at all. As I understand it, 'hidden.txt' should have appeared under the column 'filename 2', correct?
I read as much as I could about analyzeMFT to make sure I was using it correctly and reading the output right.
I used another tool called 'NTFSwalk' which also parses the output of the MFT file to csv format, except the output is much uglier than that of analyzeMFT. However, this tool did report the ADS hidden.txt.
I just wanted to let you know about my experience and results. Please let me know if you would like me to send you the MFT file in question so you can look at it.