MoVP II – 2.4 – Reconstructing Master File Table (MFT) Entries
by Jamie Levy | May 24, 2013 | forensics, grrcon, movp, timelines, volatility, windows
Today’s blogpost will cover the new mftparser plugin for Volatility. As we demonstrated in the GRRCon Challenge writeup, this plugin can come in quite handy in an investigation and also played a small part in the last MoVP blogpost. Why This Plugin Was Created...MoVP II – 2.3 – Creating Timelines with Volatility
by Jamie Levy | May 23, 2013 | forensics, grrcon, malware, movp, timelines, windows
A common computer forensic investigative methodology is creating timelines. Timelines help establish events that took place on the machine prior to investigation. There are various artifacts in Windows memory that can be used to construct a timeline....OMFW 2012: Reconstructing the MBR and MFT from Memory
by Jamie Levy | Oct 9, 2012 | forensics, omfw, volatility, windows
This presentation introduced two new Volatility plugins: mbrparser and mftparser which will be released in Volatility 2.3. These plugins empower the investigator to explore possible MBR infections or in the case of mftparser, files that are in use on the system....MoVP 4.3 Recovering Master Boot Records (MBRs) from Memory
by Jamie Levy | Oct 3, 2012 | malware, movp, volatility, windows
Month of Volatility Plugins Given that we are still recovering from an amazing Open Memory Forensics Workshop, today’s post will continue the theme of short and sweet. This post will focus on recovering interesting disk artifacts from memory. In particular, it...
You must be logged in to post a comment.