Resolving File Paths Using the MFT | RAT In Mi Kitchen
In NTFS, the MFT (Master File Table) is a structure that contains a lot of the file-system metadata, and also the contents of small files. It is stored in a special file, called $MFT. In incident response, we often collect and parse this file to determine the file system contents and how it changed over time, without having to acquire a full disk image.
There are many bad MFT parsers out there.
https://harelsegev.github.io/posts/resolving-file-paths-using-the-mft/
Resolving File Paths Using the MFT | RAT In Mi Kitchen
In NTFS, the MFT (Master File Table) is a structure that contains a lot of the file-system metadata, and also the contents of small files. It is stored in a special file, called $MFT. In incident response, we often collect and parse this file to determine the file system contents and how it changed over time, without having to acquire a full disk image.
There are many bad MFT parsers out there.
https://harelsegev.github.io/posts/resolving-file-paths-using-the-mft/