fte

type

In accordance with 4 time stamps which are Created time(crtime), Modifiled time aka Last Wrriten(mtime), Changed time aka Entry Modifiled(ctime) and Accessed time(atime), fte outputs type of time stamp to type column on some tab. It will be determined by micro information and combination with 4 time stamps, then objects(files/folders) are classified into one of pre-defined categories. It helps investigator to track specified objects.

The following are current pre-defined category.

FAT

Time stamps fit into FAT resolution.

Tags

fte

Navigation

fte 1.8 navigation

Tags

fte

System requirements

fte runs under both Microsoft .NET Framework 2.0 or above and Visual C++ 2008 runtime.

No installation needed. Just launch fte.exe. If you encounter an error, you need following packages.

.NET Framework
http://msdn.microsoft.com/en-us/vstudio/aa496123.aspx

Microsoft Visual C++ 2008 SP1 Redistributable Package (x86)
http://www.microsoft.com/en-us/download/details.aspx?id=5582

Tags

fte

MFT Artifact

fte parses $MFT internal file and outputs metadata like time stamp at MFT tab.

MFT Big Picture

MFT Entry

There is $Boot internal file at starting sector in NTFS. $Boot contains administrative information such as number of secters per a cluster, start sector of $MFT, etc... $MFT file consists of fixed length entries. One entry holds metadata for one object(file/folder).

Tags

fte

Read more about MFT Artifact

Subscribe to fte