SIFT Workstation: Video 4 – Extracting $MFT using mmls, icat, and log2timeline

Hey all, welcome back for video four. 

In this video I show you how to extract the $MFT from an image I took of a Windows 7 x64 machine that I compromised within my lab. In this video I use mmls to find the offset, icat to extract the $MFT file at inode 0 and finally log2timeline to create the csv $MFT timeline.