Thanks you so much guys for this answer!

(Keep in mind, im pretty newbee with volatility.)

I didnt find in version; Volatile Systems Volatility Framework 2.1 any automatic plugin to dump the $MFT file,

I "filescan" and find the $Mft file is foundable at offset; 

0x0253e5e0      3      0 RWD--- \$Mft
 
How can i extract this file from the memory, its the good way to do this?


Thanks alot all for your help!


>>> Jamie Levy <jamie.levy@gmail.com> 25/07/13 9:56 >>>
That's definitely one way that you can do it.

I think someone was going to extend the mftparser plugin to extract
ADS as well, or at least someone had approached me about it. It is
possible to extend that plugin to do it without having to use other
tools, I think I might already have the vtypes defined as well though
I'm not sure. I don't have the time to extend it myself until
sometime after blackhat is over, however.

All the best,

-gleeda


On Thu, Jul 25, 2013 at 9:03 AM, David Kovar <dkovar@gmail.com> wrote:
> Good morning,
>
> The latest version of Volatility can extract MFT records:
>
> " • new plugins to parse IE history/index.dat URLs, recover shellbags data,
> dump cached files (exe/pdf/doc/etc), extract the MBR and MFT records,
> explore recently unloaded kernel modules, dump SSL private and public
> keys/certs, and display details on process privileges"
>
> The latest version of analyzeMFT can find ADS files in MFT records:
>
> "Added ADS support.
> This is probably a work in progress but it seems to be working so I’ll push
> this out. Whenever analyzeMFT encounters a resident $DATA record, it stores
> a copy of the contents away for later use. If it encounters a named $DATA
> record, it does two things:
>
> • A duplicate of the parent record is created and the filename is changed to
> be <parent filename>:<ADS filename>.
> • All ADS records, parent and children, get a flag set in the new ADS
> column"
>
> As my CS prof used to say, it is an exercise left to the reader to figure
> out how to combine those.....
>
> -David
>
> On Jul 24, 2013, at 8:10 PM, "FRANCIS PROVENCHER"
> <FRANCIS.PROVENCHER@msp.gouv.qc.ca> wrote:
>
> Hi all,
>
> I'v have a memory dump has an evidence for a case.
>
> Volatility can help me to discover "Alternate data stream" file on the
> system?
>
> Thanks for your help!
>
>
> _______________________________________________
> Vol-users mailing list
> Vol-users@volatilityfoundation.org
> http://lists.volatilesystems.com/mailman/listinfo/vol-users
>
>
>
> _______________________________________________
> Vol-users mailing list
> Vol-users@volatilityfoundation.org
> http://lists.volatilesystems.com/mailman/listinfo/vol-users
>



--
PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92
_______________________________________________
Vol-users mailing list
Vol-users@volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users