Re: [sleuthkit-users] Parsing RAW MFT
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Parsing RAW MFT
|
From: Simson G. <si...@ac...> - 2013-07-23 12:29:00
|
bulk_extractor has a MFT parser in it that will parse MFT directory entries. You can just point it at the 1024 byte chunk (or extract the chunk into a file). The fields are broken out and stored as XML in the feature file. On Jul 23, 2013, at 8:22 AM, "Spensky, Chad - 0559 - MITLL" <cha...@ll...> wrote: > Is there a straightforward way to parse a raw 1024 byte chunk of data > known to be an MFT entry using sleuth kit? I'd like to have the same > abstraction and TSK_FS_FILE struct so that I can use the same code to deal > with this special case as one would with an entire file system. Any help > would be much appreciated. I've been looking through ntfs.c and can't > seem to pin down a self contained function that will do what I am asking, > but I could just be missing it. > > - Chad > > > > ------------------------------------------------------------------------------ > See everything from the browser to the database with AppDynamics > Get end-to-end visibility with application monitoring from AppDynamics > Isolate bottlenecks and diagnose root cause in seconds. > Start your free trial of AppDynamics Pro today! > http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk_______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org |