Open josephernest opened 7 years ago
Greetings,
You need to extract the $MFT from the file system first and then point analyzeMFT at it.
-David
On Jun 23, 2017, at 2:27 PM, josephernest notifications@github.com wrote:
I git cloned and installed analyzeMFT, but I don't know how to test it, for example, on my D:. Can you give an example (for Windows) about how to analyze the MFT of an exisiting drive?
Thanks.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/dkovar/analyzeMFT/issues/49, or mute the thread https://github.com/notifications/unsubscribe-auth/AB_YUB1M1t4LEwubsfK9ryZUWcETNzwOks5sHAOagaJpZM4OD5cI.
Thanks. How to extract the MFT of my NTFS D:\
with Windows?
Hello,
Check out this article ( https://whereismydata.wordpress.com/2009/06/05/forensics-what-is-the-mft/). There are plenty of Forensics articles out there that can help guide and teach, but my recommendation would be to research the $MFT file itself so that you can understand what it is and what its purpose is and THEN extract and rip it.
Devon Ackerman
GCFA, GCFE, CFCE, CDFC, CICP, CCE http://linkedin.com/devonackermanDefinitive DFIR Compendium Project http://www.aboutdfir.com Ransomware Research Project https://goo.gl/b9R8DE APT Groups & Operations https://goo.gl/QEayyo https://goo.gl/QEayyo[linkedin] https://www.linkedin.com/in/devonackerman | [twitter] https://twitter.com/aei4n6
On Fri, Jun 23, 2017 at 2:31 PM, josephernest notifications@github.com wrote:
Thanks. How to extract the MFT of my NTFS D:\ with Windows?
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/dkovar/analyzeMFT/issues/49#issuecomment-310740763, or mute the thread https://github.com/notifications/unsubscribe-auth/AXIP_ek7-CVKc119lXL8KkY0M8GYSO4gks5sHASKgaJpZM4OD5cI .
Thanks @aei4n6, I read a few related articles indeed.
I can imagine there exists a ready-to-use tool on Windows that can extract/display the $MFT file?
My humble recommendation would be something like AccessData's FTK Imager to expose and scrape out the system/hidden $MFT file itself.
Devon Ackerman
GCFA, GCFE, CFCE, CDFC, CICP, CCE http://linkedin.com/devonackermanDefinitive DFIR Compendium Project http://www.aboutdfir.com Ransomware Research Project https://goo.gl/b9R8DE APT Groups & Operations https://goo.gl/QEayyo https://goo.gl/QEayyo[linkedin] https://www.linkedin.com/in/devonackerman | [twitter] https://twitter.com/aboutdfir
On Fri, Jun 23, 2017 at 2:41 PM, josephernest notifications@github.com wrote:
Thanks @aei4n6 https://github.com/aei4n6 I read a few related articles. But I can imagine there exists a ready-to-use tool on Windows that can extract/display the $MFT file?
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/dkovar/analyzeMFT/issues/49#issuecomment-310743021, or mute the thread https://github.com/notifications/unsubscribe-auth/AXIP_a4wZmwraOOBT5Ydfnu8aotkzuNSks5sHAbIgaJpZM4OD5cI .
I
git clone
d and installed analyzeMFT, but I don't know how to test it, for example, on myD:\
. Can you give an example (for Windows) about how to analyze the MFT of an exisiting drive?Thanks.