Is there a $MFT exp...
 
Notifications
Clear all

Is there a $MFT explaination

14 Posts
7 Users
0 Likes
2,023 Views
(@branerift)
Posts: 59
Trusted Member
Topic starter
 

I have to admit my short comings when it comes to the $MFT. What I am looking to do is recover a .mpg video clip from a hard drive image (e01). The suspect admitted to me that it was downloaded via limewire and he had deleted it when his wife found it.

I am using EnCase (v5.05f). I found an entry in the $MFT for the file. Now what?

I have tried carving for .mpg files, but I get mp3, files that don't load, etc. The carve actually revealed thousands of files. I really don't have years to sift through it all.

Is there a resource somewhere that explains finding and recovering a file via the $MFT?

Thanks in advance.

Kevin

 
Posted : 03/02/2007 2:07 am
(@mtouchet)
Posts: 11
Active Member
 

Do the signatures match on the .mp3 files, what header information is available? Try the copy/unerase function and open the files with the appropriate program.

 
Posted : 03/02/2007 3:48 am
az_gcfa
(@az_gcfa)
Posts: 116
Estimable Member
 

What do you mean you found and entry in the $MFT? Did you scroll down the file entries or were you scrolling through the $MFT as data?

Anyway! If you were scrolling down the file entries you should be able to export the file. This is the only way to get the file out of the E01 into a usable format. You should be able to select and external viewer for the file within Encase. I'm not familiar with version 5 – I used version 4 a couple of years back. The MFT is just a directory entry pointer except for files less than 1K - which can be the entry and file contents. WWW.NTFS.com explains it all pretty well.

I prefer FTK over Encase. I actually use Autopsy with TASK because my primary toolset is Linux.

 
Posted : 04/02/2007 8:05 am
(@branerift)
Posts: 59
Trusted Member
Topic starter
 

I really don't use FTK for cases such as this. I had to rebuild the partitions manuallt and EnCase allows me to specify where they begin and end. I am not aware if FTK allows this.

I see the files name in the $MFT file. I guess my question was, am I able to extract the file…at least find it with this information and reconstruct it?

 
Posted : 06/02/2007 12:08 am
(@mtouchet)
Posts: 11
Active Member
 

Quote from EnCase V5 users manual;
"…Encase parses the MFT and finds those files that are still listed, but have no parent directory. All of these files are recovered and placed into the gray Lost files Folder." Search this folder for the file name you are looking for.

If you need help with installing file viewers send me an email, I can walk you through it.

 
Posted : 06/02/2007 1:34 am
(@branerift)
Posts: 59
Trusted Member
Topic starter
 

I have seen this "Lost Files" folder many times in Encase. I guess I should have explained my situation in full to prevent confusion…. here we go…

I imaged a drive using FTK imager using the e01 format. I loaded that image into encase, but it only came back with one partition that is a goback recovery partition, fat 32. I double checked the MBR and confirmed this was the boot (80) partition. It indeed is and is the only partition listed in the MBR. I did notice in the c partition there was a folder called "MiniNT" which looks like it is a mini operating system. Would a partition such as this refer to another partition somewhere in this "MiniNT"?

I used EnCase "sweep" and found a few partitions. With some math and a little luck, I was able to reconstruct the d partition (ntfs) with windows and all the normal files one should see. However, EnCase did not scan for lost files. I told it to search that partition for lost folders, but 0 hits were returned.

It is obviously not finding the $MFT entry for the files (mpg). Is this due to me manually rebuilding that partition? Looking in the MFT, I can see them. With the data contained in the MFT, can I reconstruct these files manually? Is the MFT a map to fragmented files on the drive (or any files for that matter). If so, where is a good place to search for how to do this.

I want to thank everyone for assisting me with this post. I don't know if I am explaining this well enough to show you what I am trying to do.

 
Posted : 06/02/2007 2:01 am
az_gcfa
(@az_gcfa)
Posts: 116
Estimable Member
 

I assume you found the $MFT entry in the table window (left pane) and clicked on this entry and the data or text pane window appeared. Usually the bottom window that is the width of the entire encase application window. In the text or data pane window you scrolled through the data contents of the $MFT entry until you found what you think was the file.

You can scroll through the table pane to find the entry. Or drill down through the entries in the "case window" right pane (sort of like explorer). If the entry is valid you will seek a complete entry in the table pane - look for the "is deleted" column to see if the file is deleted. Even further left is column information identifying the physical and logical sectors. You can build a search for the file name.

If you are finding the complete filename string in the $MFT data pane - there is a good chance the file exist. If you are finding only part of the name more than likely you are seeing residue. The slot has been reused. There is still a chance the file still exists on the physical sectors of the drive but with no filename entry. That is were file carving will be required!

 
Posted : 06/02/2007 2:26 am
(@branerift)
Posts: 59
Trusted Member
Topic starter
 

I was editing my post just prior to yours az_gcfa. I will respond to you post with screenshots. I think it would be easier for me to explain. My brain is not playing well with me today. Let me put the screen shots together and I will post.

 
Posted : 06/02/2007 2:33 am
az_gcfa
(@az_gcfa)
Posts: 116
Estimable Member
 

I do not understand what you mean by "reconstruct the ntfs partition" within Encase. Are you saying that encase found partition records and then created a volume reference in the "cases window" left pane.

If you think you have a could ntfs partition – try exporting the partition with encase and load that exported partition back into encase – then all the filesystem structures should appear - if it is a true ntfs image.

Your are quickly reaching my limits with my ole demo version. I would suggest you try the forums at encase.

Sorry, I can not be any more help with Encase.

 
Posted : 07/02/2007 1:49 am
(@branerift)
Posts: 59
Trusted Member
Topic starter
 

I am not the best at explaining the situation I suppose, but I will try the EnCase forums as well. Thanks fo rthe help. It is much appreciated.

 
Posted : 07/02/2007 2:14 am
Page 1 / 2
Share: