Bend Me, Shape Me (by Paul W. Smith)
LMTV Sharkfest | UDP and TCP : the Gory Details - Part One (by DC Palter)

MFT Walk Through (by: Casey Mullis)

The more things change, the more they stay the same. Like the wheel, data may be knew or ways to store it but in the end, the old way of keeping up with it is the same. The wheel has seen upgrades but the design is still the same. Computer devices have to have a way of knowing where things are just like the Public Library. This is where the $MFT file comes in to play. Once you have it, you can find all things on a system. To see what I am talking about, take five minutes of your time to watch the video we put together to show you how easy it is.

XXX_IMG_3319_A

 

Welcome to the introduction of the Master File Table also known as MFT file collected by the Win-Fo program. Win-Fo collects many files of importance for an investigation, in under ten minutes. The one that holds a lot of value is the MFT file. The MFT file is the Dewey Decimal System of the computer world. Every computer, like the Public Library has to be able to point to the files on a hard drive. How else will it know what to show on your Desk Top or under your Documents?

The first thing we need to do is load up the MFT file in question. Browse to the Report folder located on your Win-Fo USB key or where you copied the folder to. Open the computer report folder you wish to look at. In the folder you will find a directory called “System Files” in here you will find “$MFT”. We will create a directory to put it in.

Once the processing is complete you can see how many Files, how many deleted, how many directories, and how many deleted directories. You can also see how long it took to complete in seconds.

Collecting the MFT gives you the ability to search for files. Let’s see if my email address shows up. Ah yes here it is. We can see the properties of the database. All the information we need to know about a file.

What if I am not sure but know a date and time range. Can the MFT give me the files in that range? Yes, you can find it based on date and time ranges. Just pick the file type and attribute you are looking for.

Maybe you want to browse the hard drive but you did not image it or collect it, because you were not sure there was anything there you needed. Can you browse the drive without having the drive? Yes, you can with the right tools in hand; all things are possible. As long as you ran Win-Fo before you left, you will have a lot of files that will tell you just about anything that was on that machine.

Why would I do this instead of taking all the computers? Maybe you have twenty computers and seize a couple but want to make sure there is nothing on the others. You can do that and if you find something worthy of further investigation, you can go back and get the computer in question.

Win-Fo is not a one tool fits all but it does have its place in your toolbox. It will make your life simpler, when collection of data is needed. Win-Fo gets to those active files that others do not. MFT file is only one piece of data and or file we collect.

See this write up also What is the Master File Table

Thank you for stopping by and we hope this helps you in your work or interests today.

 

Casey

Author - Emory Mullis has been in Law Enforcement for roughly 19 years including military and civilian law enforcement. He started learning about computers back when Gateway 266 MHz was the top of the line and cost about $2000.00.Right out the box, I was compelled to take my new found 266 apart. Why I have no idea other than pure curiosity. Once I had the computer out the box and on the floor in pieces, my wife walked in. Trust me people; this was not a good thing! Either way I got a good understanding at this point on how a computer is put together and / or the components inside. This was my starting point with computers and I still hear my wife in the back ground “It better work when you put it back together!” That was my humble beginnings as a Cyber Investigator. Now with many Cyber cases under my belt, I have learned that you must question, challenge and test almost daily to keep up with all the new tools, software, computers and cell phone formats to be able to forensically acquire evidence and it is a real challenge. I enjoy the challenge and look forward to learning more every day!

Comments