How to use it?

[josephernest]

I git cloned and installed analyzeMFT, but I don't know how to test it, for example, on my D:\. Can you give an example (for Windows) about how to analyze the MFT of an exisiting drive?

Thanks.

[dkovar]

Greetings,

You need to extract the $MFT from the file system first and then point analyzeMFT at it.

-David

On Jun 23, 2017, at 2:27 PM, josephernest notifications@github.com wrote:

I git cloned and installed analyzeMFT, but I don't know how to test it, for example, on my D:. Can you give an example (for Windows) about how to analyze the MFT of an exisiting drive?

Thanks.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/dkovar/analyzeMFT/issues/49, or mute the thread https://github.com/notifications/unsubscribe-auth/AB_YUB1M1t4LEwubsfK9ryZUWcETNzwOks5sHAOagaJpZM4OD5cI.

[josephernest]

Thanks. How to extract the MFT of my NTFS D:\ with Windows?

[aei4n6]

Hello,

Check out this article ( https://whereismydata.wordpress.com/2009/06/05/forensics-what-is-the-mft/). There are plenty of Forensics articles out there that can help guide and teach, but my recommendation would be to research the $MFT file itself so that you can understand what it is and what its purpose is and THEN extract and rip it.

​

Devon Ackerman ​​

GCFA, GCFE, CFCE, CDFC, CICP, CCE http://linkedin.com/devonackermanDefinitive DFIR Compendium Project http://www.aboutdfir.com Ransomware Research Project https://goo.gl/b9R8DE APT Groups & Operations https://goo.gl/QEayyo ​ ​ https://goo.gl/QEayyo[linkedin] https://www.linkedin.com/in/devonackerman | [twitter] https://twitter.com/aei4n6​

On Fri, Jun 23, 2017 at 2:31 PM, josephernest notifications@github.com wrote:

Thanks. How to extract the MFT of my NTFS D:\ with Windows?

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/dkovar/analyzeMFT/issues/49#issuecomment-310740763, or mute the thread https://github.com/notifications/unsubscribe-auth/AXIP_ek7-CVKc119lXL8KkY0M8GYSO4gks5sHASKgaJpZM4OD5cI .

[josephernest]

Thanks @aei4n6, I read a few related articles indeed.

I can imagine there exists a ready-to-use tool on Windows that can extract/display the $MFT file?

[aei4n6]

My humble recommendation would be something like AccessData's FTK Imager to expose and scrape out the system/hidden $MFT file itself.

​

Devon Ackerman ​​

GCFA, GCFE, CFCE, CDFC, CICP, CCE http://linkedin.com/devonackermanDefinitive DFIR Compendium Project http://www.aboutdfir.com Ransomware Research Project https://goo.gl/b9R8DE APT Groups & Operations https://goo.gl/QEayyo ​ ​ https://goo.gl/QEayyo[linkedin] https://www.linkedin.com/in/devonackerman | [twitter] https://twitter.com/aboutdfir

On Fri, Jun 23, 2017 at 2:41 PM, josephernest notifications@github.com wrote:

Thanks @aei4n6 https://github.com/aei4n6 I read a few related articles. But I can imagine there exists a ready-to-use tool on Windows that can extract/display the $MFT file?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/dkovar/analyzeMFT/issues/49#issuecomment-310743021, or mute the thread https://github.com/notifications/unsubscribe-auth/AXIP_a4wZmwraOOBT5Ydfnu8aotkzuNSks5sHAbIgaJpZM4OD5cI .