NTFS MFT analysis

[learner]

I have a forensic investigation case.
An employer is seeking to analyse one of this employee's hard disk . A importanat file is deleted from 40GB NTFS partition and no software has shown any traces of the said file.
How to interpreat / analyse MFT records to reach upto a single 143KB excel file?
File system guru's please give hints & advice.

[hddmania]

It all depends on how it was deleted, when and where and so on... It may give you a clue on MFT and it may give you a clue on unallocated space or in the slack space. Where are you located???

Hope you are working on this case from a cloned drive...

[BlackST]

Hope no one of the parts involved is reading this forum...

[learner]

disk is forensically captured using standard procedure. BlackSt i did not understand what do you mean.
all i know that mft's & its mirror copies alongwith log files we often recover hold the key secrets to data link & most pro's can decode mfts manually to trace sectors where file fragments are located.
instead of using ready to use tools which every tom dick & harry use , this will be more precise method.

[BlackST]

I mean that :

I have a forensic investigation case.
An employer is seeking to analyse one of this employee's hard disk . A importanat file is deleted from 40GB NTFS partition and no software has shown any traces of the said file.
How to interpreat / analyse MFT records to reach upto a single 143KB excel file?
File system guru's please give hints & advice.

... some information should be strictly confidential (I would have been MORE AND MORE GENERIC in public) and discussed maybe in PM.
Only this.

[Amarbir[CDR-Labs]]

Bl ,
Lol Hee Hee ,How Always Think Miles ahead .

[BlackST]

Eh, Amarbir, my friend.... probably more experience . All the best.

[derp]

Hi Learner,
you want to learn what happens with MFT? - start with simple process.
Create new NTFS installation - same as case on hand.

Scan the drive for MFT entries - you can get text output of MFT entries.
Copy one new excel file to the drive.

Scan drive for all MFT entries - observe the one for your Excel file - hurray
Delete the Excel file - scan the drive for MFT entries - observe MFT entry of your file.
Remove the file from Recycle - scan the drive for MFT entries - observe MFT entry for your file.

[learner]

thanks derp. yes to begin with this is best suggestion .now question is how to open mft's for this analysis. Cam we open it in wordpad or something? also there is backup file of main mft. can you tell name of the files needs to be analysed & if it is corrupt/traped in bad sectors, where is its back up?
Furthermore , if you find that entry how to actually go to that sector & recreate that file from its fragments /sectors?
Thanks

[Steve]

What forensics tools do you have?
What sector examining tools do you have?

[learner]

What forensics tools do you have?
What sector examining tools do you have?

We use hardware duplicators like ninja /salvationdata /mediatools pro/ FTK imager etc. For analaysis we have winhex , we are very new in that & thats the reason to give a request.

[Steve]

What forensics tools do you have?
What sector examining tools do you have?

We use hardware duplicators like ninja /salvationdata /mediatools pro/ FTK imager etc. For analaysis we have winhex , we are very new in that & thats the reason to give a request.

Grab a trial version of Runtimes NTFS explorer, then you can view
MFT's ,and INDX's for file remants. if it helps then you can purchase
it. RStudio allows you to look for file types.
You might also look into FTK full version, or Encase.