Windows NTFS Index Attributes ($I30 Files)
This video is a continuation of the “Introduction to Windows Forensics” series, and picks up where we left off in the previous video (Windows MACB Timestamps). This time, we’ll take a look at NTFS index attributes, also known as $I30 files. First, we’ll cover the basic information you need to know about this important artifact. Then, we’ll walk through extraction of a $I30 file from a Windows 10 virtual machine, and analyze the contents of the index looking for evidence of deleted or overwritten files.
Introduction to Windows Forensics:
• Introduction to Windows Forensics
Windows MACB Timestamps (NTFS Forensics):
• Windows MACB Timestamps (NTFS Forensics)
NTFS INDX Parsing:
http://www.williballenthin.com/forens...
INDXParse:
https://github.com/williballenthin/IN...
NTFS $I30 Index Attributes: Evidence of Deleted and Overwritten Files:
http://forensicmethods.com/ntfs-index...
#Forensics #DigitalForensics #DFIR #ComputerForensics #WindowsForensics
Watch video Windows NTFS Index Attributes ($I30 Files) online without registration, duration hours minute second in high quality. This video was added by user 13Cubed 11 September 2017, don't forget to share it with your friends and acquaintances, it has been viewed on our site 21,41 once and liked it 29 people.