I then went to the MFT record in a hex editor and manually deleted the start of the record.Īs a result, the record isn’t parsed. Afterwards, I deleted ‘First Folder’, which can be seen in the screenshot below.Īs we can see, the folder has a Deleted icon, and because the record is still there, it’s still in its place in the MFT. The VHD has a folder, ‘First Folder’, which contained a subfolder (and another subfolder). The student wanted to know what the section under the Volume was in FTK Imager and I created a couple VHDs to show him. The main point of the post was showing how to manually modify the MFT to create orphaned entries and what they look like in FTK Imager (V3.4.2.2). I was sitting in an Intro to Forensics lecture recently (in my free time, I’m crazy I know) and was explaining orphaned files to a student so thought I’d just write some stuff down about it.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |