-
June 11th, 2008, 06:24 PM
#1
Junior Member
Retrieving the MFT timestamps
Hello,
I'm just starting to get into the security field, and I've just been browsing around. I was using a DiskExplorer and it was able to show me the contents of the NTFS and MFT. I was wondering if anyone could offer any assistance on how I would be able to retrieve the MFT metadata (stuff like the last MFT modification time/access time/creation time etc..)
Any help would be greatly appreciated!
-
June 11th, 2008, 07:21 PM
#2
macdaddy?
http://www.opensourceforensics.org/tools/unix.html
Title: mac-daddy Author: Rob Lee
Description: MAC Time collector for forensic incident response. This toolset is a modified version of the two programs tree.pl and mactime from the Coroner's Toolkit by Dan Farmer and Venema Weiste. This program is portable and can be run directly from a floppy or a cdrom with a perl interpreter that can also be on the floppy or cdrom.
Website: http://www.xxxxxxxxxx [Site has been removed]
Source: http://www.xxxxxxxxxxx [Site has been removed]
Moderator's Note: The links have been censored because they lead to a pr0n site
Title: mac-robber Author: Brian Carrier
Description: mac-robber is a forensics and incident response program that collects Modified, Access, and Change (MAC) times from files. Its output can be used as input to the 'mactime' tool in The Sleuth Kit to make a time line of file activity.
Website: http://www.sleuthkit.org/mac-robber
Source: http://www.sleuthkit.org/mac-robber/download.php
Just keep in mind there are plenty of tools available to timestomp/mangle the MACs and make it alot harder....
Last edited by nihil; June 15th, 2008 at 07:16 AM.
There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.
(Merovingian - Matrix Reloaded)
-
June 15th, 2008, 07:08 AM
#3
There are some free forensics tools here:
http://www.pinpointlabs.com/free_tools/metaviewer/
Metaviewer looks promising?
I have moved this thread into the forensics forum in the hope that you get a better response.
EDIT: Free tool for looking at index.dat files:
http://www.systenance.com/indexdat.php
More free stuff here:
http://www.theabsolute.net/sware/
"Disk Investigator" is pretty good
Last edited by nihil; June 15th, 2008 at 07:26 AM.
-
June 17th, 2008, 12:23 AM
#4
LOL, sorry about that, guess he let his domain name go , shame, it was a useful tool...
There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.
(Merovingian - Matrix Reloaded)
-
June 21st, 2008, 09:42 PM
#5
Here is some links to software that can be used for forensic purpses:
http://www.forensics.nl/tools
http://www.forinsect.de/
http://www.cftt.nist.gov/
http://www.gmgsystemsinc.com/fau/
http://www.foundstone.com/us/resourc...sc/bintext.htm
Most of them are free
nirsoft (by Nir Sofer) and sysinternals (by Mark Russinovich) has also lot of free utilities for audit of computer and retrive different kind of information
Similar Threads
-
By Ignatius in forum Newbie Security Questions
Replies: 7
Last Post: May 25th, 2006, 11:41 PM
-
By Hades in forum Newbie Security Questions
Replies: 8
Last Post: May 31st, 2005, 05:58 PM
-
By dontease in forum Hardware
Replies: 8
Last Post: January 27th, 2005, 04:03 PM
-
By tatui in forum Computer Forensics
Replies: 3
Last Post: February 2nd, 2003, 10:55 PM
-
By s0nIc in forum Security Archives
Replies: 8
Last Post: December 16th, 2001, 09:39 PM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|