fte

type

In accordance with 4 time stamps which are Created time(crtime), Modifiled time aka Last Wrriten(mtime), Changed time aka Entry Modifiled(ctime) and Accessed time(atime), fte outputs type of time stamp to type column on some tab. It will be determined by micro information and combination with 4 time stamps, then objects(files/folders) are classified into one of pre-defined categories. It helps investigator to track specified objects.

The following are current pre-defined category.

FAT

Time stamps fit into FAT resolution.

Tags

MFT Artifact

fte parses $MFT internal file and outputs metadata like time stamp at MFT tab.

MFT Big Picture

MFT Entry

There is $Boot internal file at starting sector in NTFS. $Boot contains administrative information such as number of secters per a cluster, start sector of $MFT, etc... $MFT file consists of fixed length entries. One entry holds metadata for one object(file/folder).

Tags