by Dr. Radut

FCNS_INDX

FCNS_INDX is the EnScript for carving and parsing NTFS INDX($INDEX_ALLOCATION) record.

FNCS INDX 01

Open the case or create new case, add evidence then launch this EnScript. The following options are available.

  • Target
    • Selected: blue-checked file/object
    • Other: Folder, $LogFile, pagefile.sys, Unallocated Clusters, VSS: enable/disable by each check box
  • Filtering Option
    • Parse only unused area for current folder
    • Skip duplication entries (slow if it found many entries)
    • Search only starting position of each sector
  • Export
    • LEF File: specify the file path for carving INDX record
    • TSV File: specify the file path for parsing INDX record

Download

FCNS_INDX_0.9.EnPack (SHA1: 8b34739aed3bf62118a1482e8f70f367fda52a03)

License

You may use the SOFTWARE freely for personal or commercial and NO WARRANTIES.

Requirements

EnCase 7.x

Background

Please refer to INDX Artifact(1) and INDX Artifact(2).

Feature

The algorithm for search and parse entry from unallocated clusters is the same as fte. This EnScript is useful because it is easy to adjust Target/Filtering option if you have EnCase.

Parsing data is recorded on TSV.

FCNS INDX 02

Note: Timestamp such as crtime, mtime, ctime, atime are adjusted by evidence with "Modify time zone settings"