tag:blogger.com,1999:blog-9518042.post853783666850703163..comments2024-03-19T07:46:20.437-05:00Comments on Windows Incident Response: UpdatesUnknownnoreply@blogger.comBlogger2125tag:blogger.com,1999:blog-9518042.post-85004835765845480322013-12-17T09:38:31.317-05:002013-12-17T09:38:31.317-05:00Thanks for these posts where you are tying togethe...Thanks for these posts where you are tying together others articles.<br /><br />> Without the MFT from the wallet drive, this information cannot be validated. Is this data then useful?<br /><br />I thought about this and I only came up with one instance where showing the $MFT record number may be useful. I haven't tried or seen this on removable media. However, I've seen this a few times on the local hard drive. There were times when multiple files were created on the local hard drive and the files' $MFT record numbers were grouped together. By itself I can't reach any conclusions but I do get a general idea about what files may have been created around the same time. I think this technique may work for removable media.Corey Harrellhttp://journeyintoir.blogspot.com/noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-32635206441740448932013-12-17T01:48:12.810-05:002013-12-17T01:48:12.810-05:00Nice additions to shellbags.pl. I have to agree wi...Nice additions to shellbags.pl. I have to agree with you on the decision to make the MFT references NOT show up in output by default (by commenting it out). Not only does this lessen the burden for examiners who want to analyze shellbags quickly, it also allows for access to the data if an investigator really wants it.<br /><br />I've said it a few times already, but it's one thing to see what a tool outputs...it's another to know what it means.<br /><br />Excellent and super fast update.Anonymousnoreply@blogger.com