Saturday, February 8, 2014

Daily Blog #231: Sunday Funday 2/9/14

Hello Reader,
     It's Sunday! Time to put the forensic petal to the metal and get ready for this week's Sunday Funday! If you watched the forensic lunch this week you heard Willi Ballenthin talk about his new tool fuse-mft, so lets test your NTFS knowledge this week.

The Prize:
A $200 Amazon Gift Card





The Rules:
  1. You must post your answer before Monday 2/10/14 2AM CST (GMT -5)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful 
  6. Anonymous entries are allowed, please email them to dcowen@g-cpartners.com
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post

The Challenge:
You have an MFT extracted from a live system that you've taken back to your analysis system. You've used Willi Ballenthin's fuse-mft to mount the MFT and begin your inspection.Answer the following questions:

1. What functions do you expect to work against the fused mounted MFT
2. What functions will not work against the fused mounted MFT
3. What information, retrievable from the live system, is missing in this method that you could recover if you parsed the MFT with the rest of the image accessible