In last we have talked about collection of $J and $Logfile using kape:
This blog we are going to deep delve into Tool MFTECmd.exe which we use to parse these artifacts:
First of all this tool can parse artifacts like $J, $Boot. $MFT, $SDS, $I30, $Logfile (Coming soon as per eric Zimmerman)
There is another tool available to parse $logfile but you have to by license to run:
Mala, short for $MFT And SLogFile Analysis, offers forensic investigators a powerful means of parsing SLogFile data. With a command as simple as "mala --help," users can unlock a plethora of options for analyzing SLogFile contents. A typical run of mala involves specifying parameters like input file location, output format (e.g., CSV), and options for formatting hexadecimal values and removing whitespace.
Command will be look like:
mala.exe -log E:\C\$LogFile -csv -baselO -no_whitespace > G:\ntfs\mala-logfile.csv
Output will be look like below:
But I am waiting for eric Zimmerman updated version of tool MFTECmd.exe Which can parse the $Logfile as well:
So currently we are going to parse $J for now, In future as soon as MFTECMD.exe start parsing the $Logfile will update the blog
Current :- MFTECmd version 1.2.2.1
The command we have used to collect artifact after collection when you unzip you will find --vhdx file when you double click windows will automatically mount a new drive with next available drive letter in this case F:\
Command for Parse artifact using MFTECmd:
For $J:
cmd :- MFTECmd.exe -f F:\C\$J --csv C:\Users\User\Downloads --csvf J.csv
You can use this tool to Parse other artifact as well like $I30. Parsing is done in next blog we will delve into analyzing of these artifact using Timeline explorer
Akash Patel
Comments