MFT File Not Available #9
Comments
|
I'll have to test this. |
|
@SANS-SIFT have you ran into any issues with $MFT not being available? |
|
It is there. But not listed. Need to run similar command cp $MFT /temp/MFTBest, Rob Sent from my Mobile Phone
|
|
@baltek hope that helps, I'm closing this ticket, if you have more questions feel free to comment again. |
|
Hi Erik, Thank you for your reply and following up with the question. I'll test it Regards, Bartosz Inglot On 31 August 2014 14:07, Erik Kristensen notifications@github.com wrote:
|
In the provided VM of SIFT 3.0, I mounted an NTFS partition with all the extra parameters (show_sys_files, etc.) and to my surprise the $MFT file wasn't available. All other files seem to be there (e.g. $MFTMirr) except this one. Why Googling the problem I came across this: "Note that even when show_sys_files is specified, "$MFT" may will not be visible due to bugs/mis-features in glibc." (Source: http://manpages.ubuntu.com/manpages/gutsy/man8/ntfsmount.8.html).
Another surprise was when I looked at the bodyfile generated by log2timeline and it contained MFT entries. When I dumped MFT using icat and then parsed it with log2timeline, the number of L2T generated entries was almost identical. Any ideas?
Thanks,
Bart
The text was updated successfully, but these errors were encountered: