Created: Thursday, 20 September 2018
Updated: Friday, 21 September 2018

The following scenario demonstrates a potentially confusing situation you might face as an investigator. Knowing extensively the NFTS internals will help you to reach at valid conclusions.

Assume that you have located a deleted suspicious file called showme.jpg.exe relevant to your case in a NTFS formatted volume. You go to its $MFT record entry, you verify that metadata match and entry flag is unallocated. However, surprisingly you discover that there is only one $DATA resident attribute with content having
[ZoneTransfer]

ZoneId=3

What are your next steps as an investigator?

ntfs $DATA ADS $MFT

Reconstructing a RAID 5 that holds an NTFS volume without knowing its configuration.

To save readers' precious time I would like to emphasize the fact that that this guide applies in raids containing an NTFS formatted...

About

Since March 2012, I work as a digital forensics examiner, I examine cases such as copyright infringements, data breaches, hacking (defacing,...

Built with...

In March 2024, all backed and client libraries are updated, and the site moved to python3.12 rutime.

In April 2023, this site was...

© 2012 - 2024 Armen Arsakian updated atSaturday 01 June 2024Contact: contact at arsakian.com

-2539 . 4486