EnScript to bookmark the MFT record of currently highlighted file in EnCase

I wrote this EnScript years ago and recently had a need to use it on some evidence. I realized I had not posted this before on the blog so I figured I would post it in case others had a similar need.

There are times when I want to look at the actual MFT record of a specific file. The most common reason is to look at the second set of timestamps that each MFT record has in the filename attribute. EnCase shows the first set (the ones in the Standard Information Attribute) in the table pane of EnCase, and normally that is sufficient. But there are times when I want to look a the second set of timestamps to see if the file's timestamps have been altered or to help establish whether a file was copied or moved onto the media. This EnScript simply looks up the corresponding MFT record for the currently highlighted file and then bookmarks it (all 1024 bytes of it):



Highlighting simply means to click on it in the table pane of EnCase (upper-right) and turn the entry blue, no need to highlight or sweep any data in the actual file. Once a file is highlighted, run the EnScript and you will get the following message:



Click "Ok" and then check your bookmarks:



You can then quickly inspect the actual raw MFT record to decode it manually or view any residual slack data, etc..

Download Here

Extract MFT records from Memory dump

I have been following the development of several tools to extract evidence from memory dumps of live machines. There have been several tools developed to assist with this, including several listed on Andreas Schuster's blog.

Traditionally, examiners would run the "strings" command against collected memory dumps (if they had them) and that was it. In the past two years some tools have been developed and showcased during the DFRWS and other various conferences. Some of the tools attempt to extract the running process list from the captured memory.

I decided to start developing some tools in EnScript to extract information from memory dumps. I have 'tools' in mind that I want to develop and this is the first one. This EnScript will search any selected (blue checked) file in EnCase for MFT records, based on the MFT record header of FILE* or FILE0. Once found, the EnScript will attempt to parse out the Standard Information Attribute for the timestamps associated with the file/folder and then all Filename Attributes for the name of the file and the associated timestamps stored in the Filename Attribute. The idea behind this EnScript is that there may be MFT records in memory (typically thousands) that are of interest to you, such as malware or hacking tools, etc.

Any successfully parsed records will be written to the console and also bookmarked.

How it works:
Typically, memory dumps are collected as one large 'dump' or file that contains the contents of memory. If you add that file into EnCase (drag and drop into an open case), then select that one file and run the EnScript, all parsed records will be displayed in the console and bookmarked.

What it collects:
It currently parses any found MFT records for the Standard Information Attribute data and also the data contained in the Filename Attribute, including the filename and associated timestamps.

What is does not parse:
The EnScript currently does not parse out directory entry contents. Each directory has its own MFT record (which will be parsed), but the contents of that directory is either stored as resident data in the MFT record or as non-resident data in a INDX buffer. Currently this EnScript does not parse and display the contents of directories.

Written for EnCase v6

Download Here

Recovering MFT records from unallocated space or $Logfile

The $Logfile in NTFS file systems is a transaction journal of changes to the $MFT. You can commonly find file fragments and MFT records in this file. You can also sometimes find MFT records in unallocated space. MFT records are fairly easy to read once you know the structure, but I wanted an easier what to extract them and put them in a report type display. The value of searching and looking for old MFT records is that you can often find MFT records that show the filename of a file that no longer exists and extract the metadata about that file, such as timestamps and what the parent folder was.

To use this EnScript, conduct a keyword search for the MFT record header of 'FILE'. A good keyword is FILE[0\*] marked as GREP and case sensitive. Search the $Logfile, unallocated or any other file you want. Once the search is completed, view the results and select (blue check) the search hits you want to extract into readable text:



Once you have selected certain search hits (or all of them) run the EnScript and look in the console. Valid MFT records will be decoded and written out into the Console for easy reading and you can copy and paste into a report if you wish:



In the future I will add the search function into the script itself so you don't have to manually perform the search, I was just lazy and wrote it to fulfill a quick need. I also have an Enscript that will decode INDX (directory entries) records found in the $logfile (or any other file you wish) which I will publish soon.

Tested in v6.5
Download Here