Retrieving the MFT timestamps
Results 1 to 5 of 5

Thread: Retrieving the MFT timestamps

Hybrid View

  1. #1
    Junior Member
    Join Date
    Jun 2008
    Posts
    1

    Retrieving the MFT timestamps

    Hello,

    I'm just starting to get into the security field, and I've just been browsing around. I was using a DiskExplorer and it was able to show me the contents of the NTFS and MFT. I was wondering if anyone could offer any assistance on how I would be able to retrieve the MFT metadata (stuff like the last MFT modification time/access time/creation time etc..)

    Any help would be greatly appreciated!

  2. #2
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    macdaddy?

    http://www.opensourceforensics.org/tools/unix.html

    Title: mac-daddy Author: Rob Lee
    Description: MAC Time collector for forensic incident response. This toolset is a modified version of the two programs tree.pl and mactime from the Coroner's Toolkit by Dan Farmer and Venema Weiste. This program is portable and can be run directly from a floppy or a cdrom with a perl interpreter that can also be on the floppy or cdrom.
    Website: http://www.xxxxxxxxxx [Site has been removed]
    Source: http://www.xxxxxxxxxxx [Site has been removed]

    Moderator's Note: The links have been censored because they lead to a pr0n site

    Title: mac-robber Author: Brian Carrier
    Description: mac-robber is a forensics and incident response program that collects Modified, Access, and Change (MAC) times from files. Its output can be used as input to the 'mactime' tool in The Sleuth Kit to make a time line of file activity.
    Website: http://www.sleuthkit.org/mac-robber
    Source: http://www.sleuthkit.org/mac-robber/download.php

    Just keep in mind there are plenty of tools available to timestomp/mangle the MACs and make it alot harder....
    Last edited by nihil; June 15th, 2008 at 07:16 AM.
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  3. #3
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,192
    There are some free forensics tools here:

    http://www.pinpointlabs.com/free_tools/metaviewer/

    Metaviewer looks promising?



    I have moved this thread into the forensics forum in the hope that you get a better response.

    EDIT: Free tool for looking at index.dat files:

    http://www.systenance.com/indexdat.php

    More free stuff here:

    http://www.theabsolute.net/sware/

    "Disk Investigator" is pretty good
    Last edited by nihil; June 15th, 2008 at 07:26 AM.
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  4. #4
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    LOL, sorry about that, guess he let his domain name go , shame, it was a useful tool...
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  5. #5
    Junior Member
    Join Date
    Jan 2006
    Posts
    28
    Here is some links to software that can be used for forensic purpses:
    http://www.forensics.nl/tools
    http://www.forinsect.de/
    http://www.cftt.nist.gov/
    http://www.gmgsystemsinc.com/fau/
    http://www.foundstone.com/us/resourc...sc/bintext.htm
    Most of them are free

    nirsoft (by Nir Sofer) and sysinternals (by Mark Russinovich) has also lot of free utilities for audit of computer and retrive different kind of information
    never know

Similar Threads

  1. Auditor vs BackTrack in retrieving password hashes
    By Ignatius in forum Newbie Security Questions
    Replies: 7
    Last Post: May 25th, 2006, 11:41 PM
  2. Retrieving an sql database
    By Hades in forum Newbie Security Questions
    Replies: 8
    Last Post: May 31st, 2005, 05:58 PM
  3. Retrieving data from old hard drive
    By dontease in forum Hardware
    Replies: 8
    Last Post: January 27th, 2005, 03:03 PM
  4. Retrieving access time information
    By tatui in forum Computer Forensics
    Replies: 3
    Last Post: February 2nd, 2003, 09:55 PM
  5. Retrieving Deleted Files
    By s0nIc in forum Security Archives
    Replies: 8
    Last Post: December 16th, 2001, 08:39 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides