Incident Response with EZTools - $MFT Parser

MFTECmd is bundled with EZTools. This tool is use to parse $MFT, $Boot, $J, $SDS,$I30.

$MFT All information about a file, including its size, time and date values, permissions, and data content, is stored either in $MFT entries, or in space outside the $MFT that is described by $MFT entries. $MFT can be considered one of the most important files in the NTFS file system.

$Boot known as the Volume Boot Record, or Volume Boot Sector, or Partition Boot Sector. This stores information about the size of the partition, the location of the $MFT for the partition, and the location of the $MFT mirror for the partition. $Boot is the first file in a volume.

$I30 The NTFS file system maintains an index of all files and directories called the $I30 attribute. Every directory in the file system contains an $I30 attribute that must be maintained whenever there are changes to the directory’s content. When the files or folders are removed from the directory, the $I30 index records are re-arranged accordingly. $I30 can be used in forensic analysis for identifying files that may have existed on the drive and also gives evidence of deleted and overwritten files.