Hello Reader,
Knowing the limits of a tool is important as it helps prevent false positives and fake dead ends. If you know where your tool stops you can know where to turn to follow an interesting artifact further, sometimes leading to a solved case.
Knowing the limits of a tool is important as it helps prevent false positives and fake dead ends. If you know where your tool stops you can know where to turn to follow an interesting artifact further, sometimes leading to a solved case.
In this weeks challenge we have a very cool and innovative tool called fuse-mft from Willi Ballenthin, which can really speed up the quick triage of a system with existing tools that don't support MFTs directly, what is more important though is the limits of fuse-mft if you are looking for something that it can't contain due to the nature of how file record attributes are written to the disk.
Keep in mind your tools limits and where the evidence you are looking for truely exists while you read this weeks winning answer.
The Challenge:
The Challenge:
You have an MFT extracted from a live system that you've taken back to your analysis system. You've used Willi Ballenthin's fuse-mft to mount the MFT and begin your inspection.Answer the following questions:
1. What functions do you expect to work against the fused mounted MFT
2. What functions will not work against the fused mounted MFT
3. What information, retrievable from the live system, is missing in this method that you could recover if you parsed the MFT with the rest of the image accessible
The Winning Answer
1. What functions do you expect to work against the fused mounted MFT
- List the contents of directories
- List timestamps of files (STANDARD_INFORMATION and FILE_NAME)
- View contents of resident files (as well as data in record slack from previous files)
- View file allocation status
- Identify EFS-encrypted files
2. What functions will not work against the fused mounted MFT
- View contents of non-resident attributes
- Eliminates keyword searching of non-resident files, parsing, exporting, etc.
3. What information, retrievable from the live system, is missing in this method that you could recover if you parsed the MFT with the rest of the image accessible
Also Read: Daily Blog #231
- Viewing and working with non-resident attributes (the $DATA and $EFS attributes are two that come to mind)
- Carving from unallocated clusters and slack space
Post a Comment