ฝัง
- เผยแพร่เมื่อ 21 ก.ย. 2024
- This video is a continuation of the “Introduction to Windows Forensics” series, and picks up where we left off in the previous video (Windows MACB Timestamps). This time, we’ll take a look at NTFS index attributes, also known as $I30 files. First, we’ll cover the basic information you need to know about this important artifact. Then, we’ll walk through extraction of a $I30 file from a Windows 10 virtual machine, and analyze the contents of the index looking for evidence of deleted or overwritten files.
Introduction to Windows Forensics:
• Introduction to Window...
Windows MACB Timestamps (NTFS Forensics):
• Windows MACB Timestamp...
NTFS INDX Parsing:
www.williballen...
INDXParse:
github.com/wil...
NTFS $I30 Index Attributes: Evidence of Deleted and Overwritten Files:
forensicmethods...
#Forensics #DigitalForensics #DFIR #ComputerForensics #WindowsForensics
Best video in YT i ever found to explain and show use case of the NTFS index attribute. I salute you sir!
Fantastic content! Please do keep it up! Quality content that is educational and straight to the point knowledge you are handing out is highly appreciated!
Keep them coming! Only way to make them better in my view is to use a lower resolution on your analysis VM so that it's easier to see on a mobile, but I appreciate that's not going to work when you need lots of things on screen.
Awesome stuff. I'm almost ashamed to admit that I have a degree in computer forensic and I don't know a lot of this stuff.
This was great, thank you!
As far I understand the $i30 is about the meta data, such as name and directory. My laptop mentioned this when I perform a read-only chkdsk. I found out that the profile was corrupted and even when I edit the registry, my laptop keep creating temporary files, wasting space for nothing.
The cmd display a long log, I didn't pay attention of the rest, I saved the log. It is worth to spotfixing it with chkdsk? I hope it wouldn't damage or harm the hard drive. If it is logical, it should be performed.
For recovering files, this tool is the best!
Sir, when will tsk videos come?
We are looking forward to it :)
I tried to do it on my own. But when I created a secret folder and then loaded the logical drive in FTK imager I did not see any $I30 file. Can you please let me know why?
And your videos are extremely helpful especially for a student like me lacking funds to do a cert.
It's actually not a true "file", rather an attribute. This article may help: www.sans.org/blog/ntfs-i30-index-attributes-evidence-of-deleted-and-overwritten-files/. You'll view them within FTK Imager itself, not on a mounted volume.
@@13CubedThanks for responding.
so when i load the logical C drive in FTK it the $I30 attribute should show up right? but it does not.
@@jajinkya143 This is an NTFS volume, correct? Yes, if you browse the Evidence Tree and traverse into a given directory, you should see $I30 presented as a "file" within the File List on the right pane.
@@13Cubed I did the following steps:
1. Create a directory called "Secret" on Desktop
2. Added 2 excel, one pdf and one image in the folder.
3. loaded the logical drive in FTK Imager.
I can see all the files but cannot see the $I30 .
I notice that there are $I30 files for other folders which are present on windows by default like Favorites, Documents etc. But the $I30 is not present for the folder which I created.
Sorry. I cannot post the screen shot in the comments
@@jajinkya143 Try restarting the box and looking again. I am not sure why FTK Imager is not displaying it. Also create a directory in the root of C and repeat the test.
I tested this on windows 10 1909 and the $I30 file contained the $SI and NOT the $FN
I have not seen this behavior. The $I30 timestamps should always be aligned with $FN. Often those will in turn mirror $SN. Granted, I have not tested this behavior in all versions of Windows 10. www.sans.org/blog/ntfs-i30-index-attributes-evidence-of-deleted-and-overwritten-files/
@13Cubed I manually changed Std Creation Date with powershell and then looked in both $MFT and $I30. The arbitrary value was in $MFT $SI creation date and as expected the $FN creation date was unchanged. Then in the $I30 I also found the arbitrary value I just modified, that’s why I concluded it is $SI values.
Thanks for your videos, very interesting playlist it helps a lot.
This is probobly because of my hackers that created a switch account on myu tube app. I don’t have the option to remove it and duo has something to do with this I think
alien code