tag:blogger.com,1999:blog-8875668111631820725.post1588185962099578480..comments2023-04-06T05:14:38.033-04:00Comments on A Fistful of Dongles: Give Me $FILE_NAME or Give Me DeathEric Huberhttp://www.blogger.com/profile/03501931630996986857noreply@blogger.comBlogger6125tag:blogger.com,1999:blog-8875668111631820725.post-44730855142704368822010-06-24T19:39:29.969-04:002010-06-24T19:39:29.969-04:00Thanks for the information, Nathan and Phillip. I...Thanks for the information, Nathan and Phillip. I appreciate you guys taking the time to stop by and let us know how Access Data is innovating in this area.<br /> <br />I upgraded my FTK to the most recent version after reading your posts and I didn't find any files that showed the $FILE_NAME data, but it was just a very quick test. <br /> <br />While I can understand that adding this Eric Huberhttps://www.blogger.com/profile/03501931630996986857noreply@blogger.comtag:blogger.com,1999:blog-8875668111631820725.post-77494781770217332992010-06-24T15:21:52.567-04:002010-06-24T15:21:52.567-04:00I work at AccessData and we added this feature in ...I work at AccessData and we added this feature in the Forensic Toolkit 3.1 release.<br /><br />If the filename timestamps differ from the STANDARD_INFORMATION timestamps then they are parsed and can be seen in the properties window when viewing a file.<br /><br />--<br />Phillip Hellewell<br />Software Engineer, AccessDataPhillip Hellewellnoreply@blogger.comtag:blogger.com,1999:blog-8875668111631820725.post-67897551266683288352010-06-24T15:21:52.568-04:002010-06-24T15:21:52.568-04:00FTK 3.1 exposes these values. In the properties pa...FTK 3.1 exposes these values. In the properties pane for a file it lists the $FILE_NAME values for the name values like: "Date Modified (8.3 filename)" - for each of the filenames. It only lists them if they are set and if they differ from the $STANDARD_INFORMATION values, so if you don't see them they are the same. I think this was done because these are 16 extra values to Nathan Swensonhttp://www.cleothedog.comnoreply@blogger.comtag:blogger.com,1999:blog-8875668111631820725.post-69304399933342352762010-06-19T18:05:10.735-04:002010-06-19T18:05:10.735-04:00Looks like Harlan beat me to the two tools I was t...Looks like Harlan beat me to the two tools I was thinking of! I know a number of other people have built enscripts to be used within encase that will parse the MFT as well. <br /><br />DaveMacaronihttps://www.blogger.com/profile/08113144875167225261noreply@blogger.comtag:blogger.com,1999:blog-8875668111631820725.post-28162369806260146502010-06-19T16:46:56.428-04:002010-06-19T16:46:56.428-04:00Thanks, Harlan! What I'll do is collect the in...Thanks, Harlan! What I'll do is collect the information that people send me and then make a list (with links to the tools people mention) that I'll put in one of my next blog posts.<br /><br />Congratulations on your Forensic 4cast nominations, btw. :)Eric Huberhttps://www.blogger.com/profile/03501931630996986857noreply@blogger.comtag:blogger.com,1999:blog-8875668111631820725.post-48639144304041980842010-06-19T16:40:57.539-04:002010-06-19T16:40:57.539-04:00Any other tools that are doing this?
MFTRipper fr...<i>Any other tools that are doing this?</i><br /><br />MFTRipper from Mark Menz, although there is an issue with the order of the times that hasn't been worked out in a new/updated version. I use David Kovar's analyzemft.py script to provide some verification for my own Perl code.<br /><br />harlan.plH. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.com