Windows NTFS Index Attributes ($I30 Files)

Просмотров 20 тыс.

% 272

This video is a continuation of the “Introduction to Windows Forensics” series, and picks up where we left off in the previous video (Windows MACB Timestamps). This time, we’ll take a look at NTFS index attributes, also known as $I30 files. First, we’ll cover the basic information you need to know about this important artifact. Then, we’ll walk through extraction of a $I30 file from a Windows 10 virtual machine, and analyze the contents of the index looking for evidence of deleted or overwritten files.
Introduction to Windows Forensics:
ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-VYROU-ZwZX8.html
Windows MACB Timestamps (NTFS Forensics):
ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-OTea54BelTg.html
NTFS INDX Parsing:
www.williballenthin.com/forensics/indx/
INDXParse:
github.com/williballenthin/INDXParse
NTFS $I30 Index Attributes: Evidence of Deleted and Overwritten Files:
forensicmethods.com/ntfs-index-attribute
#Forensics #DigitalForensics #DFIR #ComputerForensics #WindowsForensics

Наука

Опубликовано:

12 сен 2017

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 19

@beb978 4 года назад

Best video in YT i ever found to explain and show use case of the NTFS index attribute. I salute you sir!

@matthewgrady1579 6 лет назад

Fantastic content! Please do keep it up! Quality content that is educational and straight to the point knowledge you are handing out is highly appreciated!

@adamswann576 6 лет назад

Keep them coming! Only way to make them better in my view is to use a lower resolution on your analysis VM so that it's easier to see on a mobile, but I appreciate that's not going to work when you need lots of things on screen.

@applepinez 10 месяцев назад

This was great, thank you!

@StaticReplication 3 года назад

Awesome stuff. I'm almost ashamed to admit that I have a degree in computer forensic and I don't know a lot of this stuff.

@servermadum7297 2 года назад

Sir, when will tsk videos come? We are looking forward to it :)

@zigaudrey 2 года назад

As far I understand the $i30 is about the meta data, such as name and directory. My laptop mentioned this when I perform a read-only chkdsk. I found out that the profile was corrupted and even when I edit the registry, my laptop keep creating temporary files, wasting space for nothing. The cmd display a long log, I didn't pay attention of the rest, I saved the log. It is worth to spotfixing it with chkdsk? I hope it wouldn't damage or harm the hard drive. If it is logical, it should be performed. For recovering files, this tool is the best!

@jajinkya143 3 года назад

I tried to do it on my own. But when I created a secret folder and then loaded the logical drive in FTK imager I did not see any $I30 file. Can you please let me know why? And your videos are extremely helpful especially for a student like me lacking funds to do a cert.

@13Cubed 3 года назад

It's actually not a true "file", rather an attribute. This article may help: www.sans.org/blog/ntfs-i30-index-attributes-evidence-of-deleted-and-overwritten-files/. You'll view them within FTK Imager itself, not on a mounted volume.

@jajinkya143 3 года назад

@@13CubedThanks for responding. so when i load the logical C drive in FTK it the $I30 attribute should show up right? but it does not.

@13Cubed 3 года назад

@@jajinkya143 This is an NTFS volume, correct? Yes, if you browse the Evidence Tree and traverse into a given directory, you should see $I30 presented as a "file" within the File List on the right pane.

@jajinkya143 3 года назад

@@13Cubed I did the following steps: 1. Create a directory called "Secret" on Desktop 2. Added 2 excel, one pdf and one image in the folder. 3. loaded the logical drive in FTK Imager. I can see all the files but cannot see the $I30 . I notice that there are $I30 files for other folders which are present on windows by default like Favorites, Documents etc. But the $I30 is not present for the folder which I created. Sorry. I cannot post the screen shot in the comments

@13Cubed 3 года назад

@@jajinkya143 Try restarting the box and looking again. I am not sure why FTK Imager is not displaying it. Also create a directory in the root of C and repeat the test.

@audreymciver4863 5 лет назад

This is probobly because of my hackers that created a switch account on myu tube app. I don’t have the option to remove it and duo has something to do with this I think

@feburuum4062 3 года назад

I tested this on windows 10 1909 and the $I30 file contained the $SI and NOT the $FN

@13Cubed 3 года назад

I have not seen this behavior. The $I30 timestamps should always be aligned with $FN. Often those will in turn mirror $SN. Granted, I have not tested this behavior in all versions of Windows 10. www.sans.org/blog/ntfs-i30-index-attributes-evidence-of-deleted-and-overwritten-files/

@feburuum4062 3 года назад

@13Cubed I manually changed Std Creation Date with powershell and then looked in both $MFT and $I30. The arbitrary value was in $MFT $SI creation date and as expected the $FN creation date was unchanged. Then in the $I30 I also found the arbitrary value I just modified, that’s why I concluded it is $SI values. Thanks for your videos, very interesting playlist it helps a lot.