Open dkovar opened 7 years ago
dkovar
commented
7 years ago "Great post Mari. It made me check my tools again. I believe most of these tools are determining the file size from the $FILENAME attribute. In some situations there is a value there but most of the time it's 0. In my experience the best place to find the file size is from the Attribute header. Table 13.3 and 13.4 in Brian Carrier's File System and Forensic Analysis provide this information."
dkovar
commented
7 years ago "I also ran AnalyzeMFT with the default output, a csv file. In this output, the file did have a flag designating it as deleted, however, the bodyfile format does not. "
dkovar
commented
7 years ago Read the whole blog article and ensure that all reported issues are fixed. One issue appears to be with bodyfiles, the other appears to be with where I get file sizes from.
See this blog:
http://az4n6.blogspot.com/2015/09/whos-your-master-mft-parsers-reviewed.html