|
MFT Ripper
MFT Ripper PE is a program that will decode a Master
File Table (MFT) file and output the results to a
Comma Separated Value (CSV) file. This program was
designed to augment traditional forensic programs like
ProDiscover, FTK, Encase and SMART.
When analyzing a MFT file there are a number of
elements and attributes that the traditional programs
do not provide or can not provide in an easy to use
manner. MFT Ripper PE solves this problem by outputting
the decoded MFT data into a CSV file. This allows the
analysis to be done using a spread sheet program like
Microsoft Excel or a data base program like Microsoft
Access. An examiner can then provide the CSV file to
anyone who can use a spread sheet to review it.
The CSV file will contain a column for each of the
attributes it provides along with any dates and times
decoded to the millisecond in human readable form.
There is no limitation on the number of file records
and the user can select to have one big file or
multiple smaller files to maintain compatibility with
older versions of Microsoft Excel.
Fully Automated
MFT Ripper automates this process. Simply select the
file to be analyzed, select a directory to store the
results, and let it rip.
A few advantages of using MFT Ripper PE over
other methods are:
Anyone can review the data
The MFT data can be reviewed without using a
forensic tool and having to have multiple dongles or
licenses. Anyone that has Microsoft Excel or any
spreadsheet program can do it. That means Lawyers,
DA’s, case Investigators or even average users (C
lients) can review the filenames with their dates and
times.
Information traditional tools leave out
Traditional forensic tools do not normally provide ALL
the filenames along with their dates and times to the
millisecond. Each file or folder in a MFT can have up
to four filenames. Each one can be different and each
has its’ own set of times and dates. This can prove to
be invaluable when trying to determine if a clock was
set back or a time and date changing tool was used.
MFT Ripper PE also provides additional data such as
the sequence number of a MFT record. This value tells
you how many times the record has been created and
then deleted. There is also the Object ID number. This
number is assigned when ever a file is imbedded into
another file and follows the file across MFT volumes.
For example when you imbed a graphics in a word file
or Power Point presentation, an ObjectID will be
created and tied to the filename.
ObjectID Decoder
Included with the MFT Ripper PE is our ObjectID decoder
that will take an ObjectID value and decode from it
the Date and Time it was issued, the sequential Boot
Sequence number and the MAC address of the machine
that created the ObjectID.
Electronic Discovery
The MFT Ripper PE creates its file listing WITHOUT the
$Data attribute included. This means Lawyers can
provide filename list with the metadata BUT not
provide any contents of files.
Want to try it out but not
ready to commit?
Contact us for a demo version.
|
