AnalyzeMFT

AnalyzeMFT

Many criminals can alter the timestamps. In our case, the file Secret.pdf has been modified so that despite
being created on the 27/06/210.

Let’s say the suspect purchased the machine in March. The dates would suggest that they haven’t made or
tampered with this document.

So, assuming we have a copy of the MFT, we want to now analyse it. But it is a system file, so it won’t show.  

Use the “attrib” command in the Windows command prompt. This shows us the file is a system file and
hidden.

So using attrib -s -h, we can make it visible

So now we have a visible file.

To analyse it, we will be working in the SIFT workstation, that can be downloaded from.

We use analyzeMFT.py to see the options available to us:

Note; we are using .py since it is a python script.

I then used the following command:

Note; the MFT file is in the desktop and as such this is what we need to run the tool in!

Do not spend a few minutes wondering why your file isn’t working (which I definitely didn’t do…)
if you haven’t changed to the right directory!

So, the command looks like this:

Run the tool on the file MFT and output the results to Analysis.CSV in an excel friendly format.

So, we now have our document in excel. We copy this to word. Using ctrl+f and searching our file name
shows the MFT record for it:

Here, we can see the standard information remains the same. However, the FN ($FileName)
attributes show the true dates (today’s).

This is because time altercating tools only change the standard information, not the file name information.
Thus, the MFT will retain both records.

Also, we can see link files have been created.

These will be covered next week.