hi I would like to ask, this python script is not same as -m flag in MFTECmd ? " -m $MFT file to use when -f points to a $J file (Use this to resolve parent path in $J CSV output)"
No, that would accomplish what I did in the first part of the demo -- the manual correlation. This is a completely different approach that I've not yet seen in any other tool.
Very interesting and informative. But how can we be sure that the path is 100% the original and not some sort of "bug" or some problem with the tool? ... this same thing could be done manually ? knowing that the result get from the 2 same files we have
Nothing is ever 100%. You could only say that "with high confidence" you believe this was the original path. You can also validate what the Python code is doing, and attempt to roll your own parsing methodology as well.
![Seungmin "그렇게, 천천히, 우리(As we are)" | [Stray Kids : SKZ-PLAYER]](http://i.ytimg.com/vi/kAzmhLHePqU/mqdefault.jpg)
My favourite thing about forensics has always been that, given enough time, new techniques will be developed, uncovering new evidence. :)
A great supplement to the "Parsing the MFT and USN Journal" lesson. Thank you so much, Richard!
Great research, it’s amazing how it just takes some time and dedicated people to discover ways to uncover something new sitting right in front of us
great video 13Cubed, one question though, so I can use this tool to act as a parser for both MFT+USN?
You'll still want to use something like MFTECmd to parse the $MFT and $J. This tool expects the output from MFTECmd as input.
@13Cubed ah right true that, thanks again!
hi I would like to ask, this python script is not same as -m flag in MFTECmd ? " -m $MFT file to use when -f points to a $J file (Use this to resolve parent path in $J CSV output)"
No, that would accomplish what I did in the first part of the demo -- the manual correlation. This is a completely different approach that I've not yet seen in any other tool.
Very interesting and informative. But how can we be sure that the path is 100% the original and not some sort of "bug" or some problem with the tool? ... this same thing could be done manually ? knowing that the result get from the 2 same files we have
Nothing is ever 100%. You could only say that "with high confidence" you believe this was the original path. You can also validate what the Python code is doing, and attempt to roll your own parsing methodology as well.
We got USN Journal full file path trick before GTA6
Hahaha indeed
Youre my goat!