$I File Parser

44

DFIR Tools

License Type
Free
Forensic Utilities - Windows
MFT
"In nearly all digital forensics cases where a Windows computer is involved, we need to process the recycle bin for deleted files. When a file is deleted through the recycle bin on a computer with the NTFS file system several things will occur. First the NTFS $MFT entry is updated with a new record number for a parent. Basically, that means its parent now becomes the Recycle Bin instead of it's original location. The second thing is that the file is given a new name. Instead of the original name it now becomes named $R with six random characters and the original file extension."

User comments

There are no user comments for this listing.