File: ntfs.yaml

package info (click to toggle)
forensic-artifacts 20190113-1
  • links: PTS, VCS
  • area: main
  • in suites: buster
  • size: 712 kB
  • sloc: python: 1,669; sh: 166; makefile: 21
file content (18 lines) | stat: -rw-r--r-- 462 bytes parent folder | download | duplicates (3) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
 
# NTFS specific artifacts.

name: NTFSMFTFiles
doc: |
  The NTFS $MFT and $MFTMirr file system metadata files.

  GRR collection note: you currently need to specify 'use tsk' and
  'ignore download size limits' for this artifact to work. This will go away in
  the future.
sources:
- type: FILE
  attributes:
    paths:
      - '%%environ_systemdrive%%\$MFT'
      - '%%environ_systemdrive%%\$MFTMirr'
    separator: '\'
labels: [System]
supported_os: [Windows]