Introduction:
In the intricate world of digital forensics, every byte of data tells a story. Within the NTFS file system, "$I30" files stand as silent witnesses, holding valuable insights into file and directory indexing
Understanding "$I30" Files:
$I30 files function as indexes within NTFS directories, providing a structured layout of files and directories. They contain duplicate sets of $File_Name timestamps, offering a comprehensive view of file metadata stored within the Master File Table (MFT).
Utilizing "$I30" Files as Forensic Resources:
$I30 files provide an additional forensic avenue for accessing MACB timestamp data. Even deleted files, whose remnants linger in unallocated slack space, can often be recovered from these index files.
Collection:
You can use FTK Imager to collect Artifact like $I30.
Parsing:
Tools Like MFTECmd.exe (By Eric Zimmerman) or INDXParse-master Can be used for Parsing:
Below screenshot is example of INDXParse-master
You can use -c or -d (Parameter) based on needs
Note: To use INDXParse-master you need have to Python installed on windows as I have do so its easy for me.
Akash Patel
Comments