Re: [Vol-users] Alternate Data Stream and Volatility

Good morning, The latest version of Volatility can extract MFT records: " • new plugins to parse IE history/index.dat URLs, recover shellbags data, dump cached files (exe/pdf/doc/etc), extract the MBR and MFT records, explore recently unloaded kernel modules, dump SSL private and public keys/certs, and display details on process privileges" The latest version of analyzeMFT can find ADS files in MFT records: "Added ADS support. This is probably a work in progress but it seems to be working so I’ll push this out. Whenever analyzeMFT encounters a resident $DATA record, it stores a copy of the contents away for later use. If it encounters a named $DATA record, it does two things: • A duplicate of the parent record is created and the filename is changed to be <parent filename>:<ADS filename>. • All ADS records, parent and children, get a flag set in the new ADS column" As my CS prof used to say, it is an exercise left to the reader to figure out how to combine those..... -David On Jul 24, 2013, at 8:10 PM, "FRANCIS PROVENCHER" &lt;FRANCIS.PROVENCHER(a)msp.gouv.qc.ca&gt; wrote: