25 01 2012
SIFT Workstation: Video 4 – Extracting $MFT using mmls, icat, and log2timeline
Hey all, welcome back for video four. In this video I show you how to extract the $MFT from an image I took of a Windows 7 x64 machine that I compromised within my lab. In this video I use mmls to find the offset, icat to extract the $MFT file at inode 0 and finally log2timeline to create the csv $MFT timeline.
References:
http://old.nabble.com/The-Sleuth-Kit-f4134.html
SIFT Workstation: Video 3 – Mount Disk Image via Command Line Malware Analysis with SIFT and Volatility
Comments are currently closed.
This comment has been removed by the author.
Very cool! First time visitor to your blog and will definitely be back. I love seeing video examples of forensic work, especially using open source tools. You have a lot of great info here. I teach CF to community college students and will recommend your blog to them.
Ken
Hi Ken. I’m glad to hear it. I was up in the air as to continue with the videos, or stick with text posts. I found that most people don’t go back and look at the videos vs. coming back to review the text posts. I also find myself doing this when I forgot a command or something. I don’t want to wait for the video to buffer, or I can’t recall where at in the video I issued that specific command. I would be curious to hear your thoughts on this point.