Fantastic content! Please do keep it up! Quality content that is educational and straight to the point knowledge you are handing out is highly appreciated!
Keep them coming! Only way to make them better in my view is to use a lower resolution on your analysis VM so that it's easier to see on a mobile, but I appreciate that's not going to work when you need lots of things on screen.
As far I understand the $i30 is about the meta data, such as name and directory. My laptop mentioned this when I perform a read-only chkdsk. I found out that the profile was corrupted and even when I edit the registry, my laptop keep creating temporary files, wasting space for nothing. The cmd display a long log, I didn't pay attention of the rest, I saved the log. It is worth to spotfixing it with chkdsk? I hope it wouldn't damage or harm the hard drive. If it is logical, it should be performed. For recovering files, this tool is the best!
I tried to do it on my own. But when I created a secret folder and then loaded the logical drive in FTK imager I did not see any $I30 file. Can you please let me know why? And your videos are extremely helpful especially for a student like me lacking funds to do a cert.
It's actually not a true "file", rather an attribute. This article may help: www.sans.org/blog/ntfs-i30-index-attributes-evidence-of-deleted-and-overwritten-files/. You'll view them within FTK Imager itself, not on a mounted volume.
@@jajinkya143 This is an NTFS volume, correct? Yes, if you browse the Evidence Tree and traverse into a given directory, you should see $I30 presented as a "file" within the File List on the right pane.
@@13Cubed I did the following steps: 1. Create a directory called "Secret" on Desktop 2. Added 2 excel, one pdf and one image in the folder. 3. loaded the logical drive in FTK Imager. I can see all the files but cannot see the $I30 . I notice that there are $I30 files for other folders which are present on windows by default like Favorites, Documents etc. But the $I30 is not present for the folder which I created. Sorry. I cannot post the screen shot in the comments
@@jajinkya143 Try restarting the box and looking again. I am not sure why FTK Imager is not displaying it. Also create a directory in the root of C and repeat the test.
I have not seen this behavior. The $I30 timestamps should always be aligned with $FN. Often those will in turn mirror $SN. Granted, I have not tested this behavior in all versions of Windows 10. www.sans.org/blog/ntfs-i30-index-attributes-evidence-of-deleted-and-overwritten-files/
@13Cubed I manually changed Std Creation Date with powershell and then looked in both $MFT and $I30. The arbitrary value was in $MFT $SI creation date and as expected the $FN creation date was unchanged. Then in the $I30 I also found the arbitrary value I just modified, that’s why I concluded it is $SI values. Thanks for your videos, very interesting playlist it helps a lot.
This is probobly because of my hackers that created a switch account on myu tube app. I don’t have the option to remove it and duo has something to do with this I think
Best video in YT i ever found to explain and show use case of the NTFS index attribute. I salute you sir!
Fantastic content! Please do keep it up! Quality content that is educational and straight to the point knowledge you are handing out is highly appreciated!
Keep them coming! Only way to make them better in my view is to use a lower resolution on your analysis VM so that it's easier to see on a mobile, but I appreciate that's not going to work when you need lots of things on screen.
Awesome stuff. I'm almost ashamed to admit that I have a degree in computer forensic and I don't know a lot of this stuff.
As far I understand the $i30 is about the meta data, such as name and directory. My laptop mentioned this when I perform a read-only chkdsk. I found out that the profile was corrupted and even when I edit the registry, my laptop keep creating temporary files, wasting space for nothing.
The cmd display a long log, I didn't pay attention of the rest, I saved the log. It is worth to spotfixing it with chkdsk? I hope it wouldn't damage or harm the hard drive. If it is logical, it should be performed.
For recovering files, this tool is the best!
Sir, when will tsk videos come?
We are looking forward to it :)
This was great, thank you!
I tried to do it on my own. But when I created a secret folder and then loaded the logical drive in FTK imager I did not see any $I30 file. Can you please let me know why?
And your videos are extremely helpful especially for a student like me lacking funds to do a cert.
It's actually not a true "file", rather an attribute. This article may help: www.sans.org/blog/ntfs-i30-index-attributes-evidence-of-deleted-and-overwritten-files/. You'll view them within FTK Imager itself, not on a mounted volume.
@@13CubedThanks for responding.
so when i load the logical C drive in FTK it the $I30 attribute should show up right? but it does not.
@@jajinkya143 This is an NTFS volume, correct? Yes, if you browse the Evidence Tree and traverse into a given directory, you should see $I30 presented as a "file" within the File List on the right pane.
@@13Cubed I did the following steps:
1. Create a directory called "Secret" on Desktop
2. Added 2 excel, one pdf and one image in the folder.
3. loaded the logical drive in FTK Imager.
I can see all the files but cannot see the $I30 .
I notice that there are $I30 files for other folders which are present on windows by default like Favorites, Documents etc. But the $I30 is not present for the folder which I created.
Sorry. I cannot post the screen shot in the comments
@@jajinkya143 Try restarting the box and looking again. I am not sure why FTK Imager is not displaying it. Also create a directory in the root of C and repeat the test.
I tested this on windows 10 1909 and the $I30 file contained the $SI and NOT the $FN
I have not seen this behavior. The $I30 timestamps should always be aligned with $FN. Often those will in turn mirror $SN. Granted, I have not tested this behavior in all versions of Windows 10. www.sans.org/blog/ntfs-i30-index-attributes-evidence-of-deleted-and-overwritten-files/
@13Cubed I manually changed Std Creation Date with powershell and then looked in both $MFT and $I30. The arbitrary value was in $MFT $SI creation date and as expected the $FN creation date was unchanged. Then in the $I30 I also found the arbitrary value I just modified, that’s why I concluded it is $SI values.
Thanks for your videos, very interesting playlist it helps a lot.
This is probobly because of my hackers that created a switch account on myu tube app. I don’t have the option to remove it and duo has something to do with this I think
alien code