Friday, February 26, 2016

Forensic Friday: Get-ForensicMftSlack


[This is a continuation of my Forensic Friday series.  Every Friday I provide a short post on a forensic topic of interest or PowerForensics functionality (such as cmdlet descriptions, use cases, and details about lesser known features). Subscribe to Invoke-IR so you don’t miss a Forensic Friday!]


Happy Friday and welcome to another installment of my Forensic Friday series. This week we are going to cover PowerForensics’ Get-ForensicMftSlack, a cmdlet that returns Master File Table (MFT) slack space. For those not familiar with the concept of slack space, it is simply defined as unused space on the disk. MFT slack is specifically the unused portion of a Master File Table record entry. By default, the Master File Table is composed of records that represent a partitions files and directories. Each MFT record has a set number of bytes reserved for it on the hard drive, typically 1024 bytes (the number of bytes reserved for the MFT record entry can be found in the Volume Boot Record). When a MFT record entry does not use all of the bytes that have been allocated to it, the remaining bytes are referred to as MFT slack space, an area on disk that attackers have been known to hide their tools.

Lets use PowerForensics to provide a specific example of MFT slack space. We start by using Get-ForensicFileRecord to get a specific FileRecord object (MFT record entry). Each FileRecord object has an AllocatedSize and a RealSize parameter. AllocatedSize represents the number of bytes that have been reserved for this particular MFT file entry, while RealSize represents the number of bytes that are actually being used by the entry.


Below you can see a hex dump of the MFT File Record. You can see the FILE0 signature and a couple human readable strings (such as “access.log”).


Now if we compare the output of Get-ForensicMftSlack, we see the same data that is at the bottom of the previous picture. This is the slack space! Sometimes slack space can contain contents of deleted files or file system structures.


The image below shows that the difference between AllocatedSize and RealSize is the same as the number of bytes returned by Get-ForensicMftSlack.


Common Use

Parse all Master File Table slack space for a given volume (Example using volume “C:”):

$bytes = Get-ForensicMftSlack -VolumeName C:


Parse MFT record based on Index/Record Number (Example with Index 0 on Volume N:):

Get-ForensicMftSlack -VolumeName N: -Index 0 | Format-Hex


11 comments:

  1. Without making your site perfect you cannot be getting more traffic or guest for your site. So, I would like to recommend you to Visit capitaldealersolutions blog from there you'll find all the exclusive information on this.

    ReplyDelete
  2. Very easily this site will most likely irrefutably perhaps end up being popular including numerous weblogs individuals, in order to it's persistent content pieces or possibly views. Graphics Designing

    ReplyDelete
  3. You should take part in a contest for one of the highest quality sites on the web.
    I’m going to recommend this website! 토토사이트

    ReplyDelete
  4. Magnificent beat ! I wish to apprentice while you amend your web site, how could i subscribe for a blog web site?
    The account aided me a acceptable deal. I had been a little bit acquainted
    of this your broadcast provided bright clear concept 경마

    ReplyDelete
  5. I am really impressed with your blog article, such great & useful information you mentioned here. I have read all your posts and all are very informative. Thanks for sharing and keep it up like this. 카지노사이트

    ReplyDelete
  6. Hi there! I could have sworn I’ve been to this site before but after browsing through some of the articles I realized it’s new to me.
    Nonetheless, I’m certainly happy I came across it and I’ll be bookmarking it
    and checking back regularly! 토토

    ReplyDelete
  7. I like what you guys tend to be up too. This kind of clever work and reporting! Keep up the very good works guys I’ve added you guys to our blogroll.

    Try to check my blog: 바카라
    (mm)

    ReplyDelete
  8. Good day! This post could not be written any better! Reading this post reminds me of my previous room mate! He always kept chatting about this. I will forward this page to him. Pretty sure he will have a good read. Thanks for sharing. keonhacai

    ReplyDelete
  9. Hello, i feel that i noticed you visited
    my weblog thus i came to go back the prefer?.I am trying to in finding things to enhance my site!I assume its ok to make use of some of your ideas!!
    바카라

    wep

    ReplyDelete
  10. This is very interesting, You are a very skilled blogger. I've joined your rss feed and look forward to seeking more of your wonderful bong88. Also, I have shared your website in my social networks!

    ReplyDelete
  11. Thanks for sharing with us this important Content. I feel strongly about it and really enjoyed learning more about this topic.
    오피월드

    oworldsmewep

    ReplyDelete

- Invoke-IR - By Jared Atkinson -