Created: Thursday, 20 September 2018
Updated: Friday, 21 September 2018

The following scenario demonstrates a potentially confusing situation you might face as an investigator. Knowing extensively the NFTS internals will help you to reach at valid conclusions.

Assume that you have located a deleted suspicious file called showme.jpg.exe relevant to your case in a NTFS formatted volume. You go to its $MFT record entry, you verify that metadata match and entry flag is unallocated. However, surprisingly you discover that there is only one $DATA resident attribute with content having
[ZoneTransfer]

ZoneId=3

What are your next steps as an investigator?

ntfs $DATA ADS $MFT

Built with...

In the latest Update (April 2023), this site was migrated to GAE standard environment using python3.10 rutime. All back end libraries have been...

© 2012 - 2023 Armen Arsakian updated atMonday 03 April 2023Contact: contact at arsakian.com

-2427 . 4374