MyKey Technology Inc
4640 Wedgewood Blvd
Suite 107
Frederick, MD  21703
      301-613-6563

 

Valid XHTML 1.0!

 

home | email  

Professional Edition Version 2    $99.95 (USD)

Software to Analyze data from NTFS MFT Records

bullet Designed for Electronic Discovery and Forensics.
bullet Fully Automated.
bullet

Selectable Report Formats.

MFT Ripper
MFT Ripper PE is a program that will decode a Master File Table (MFT) file and output the results to a Comma Separated Value (CSV) file. This program was designed to augment traditional forensic programs like ProDiscover, FTK, Encase and SMART.

When analyzing a MFT file there are a number of elements and attributes that the traditional programs do not provide or can not provide in an easy to use manner. MFT Ripper PE solves this problem by outputting the decoded MFT data into a CSV file. This allows the analysis to be done using a spread sheet program like Microsoft Excel or a data base program like Microsoft Access. An examiner can then provide the CSV file to anyone who can use a spread sheet to review it.

The CSV file will contain a column for each of the attributes it provides along with any dates and times decoded to the millisecond in human readable form. There is no limitation on the number of file records and the user can select to have one big file or multiple smaller files to maintain compatibility with older versions of Microsoft Excel.

Fully Automated
MFT Ripper automates this process. Simply select the file to be analyzed, select a directory to store the results, and let it rip.

A few advantages of using MFT Ripper PE over other methods are:

Anyone can review the data
The MFT data can be reviewed without using a forensic tool and having to have multiple dongles or licenses. Anyone that has Microsoft Excel or any spreadsheet program can do it. That means Lawyers, DA’s, case Investigators or even average users (C lients) can review the filenames with their dates and times.

Information traditional tools leave out
Traditional forensic tools do not normally provide ALL the filenames along with their dates and times to the millisecond. Each file or folder in a MFT can have up to four filenames. Each one can be different and each has its’ own set of times and dates. This can prove to be invaluable when trying to determine if a clock was set back or a time and date changing tool was used.

MFT Ripper PE also provides additional data such as the sequence number of a MFT record. This value tells you how many times the record has been created and then deleted. There is also the Object ID number. This number is assigned when ever a file is imbedded into another file and follows the file across MFT volumes. For example when you imbed a graphics in a word file or Power Point presentation, an ObjectID will be created and tied to the filename.

ObjectID Decoder
Included with the MFT Ripper PE is our ObjectID decoder that will take an ObjectID value and decode from it the Date and Time it was issued, the sequential Boot Sequence number and the MAC address of the machine that created the ObjectID.

Electronic Discovery
The MFT Ripper PE creates its file listing WITHOUT the $Data attribute included. This means Lawyers can provide filename list with the metadata BUT not provide any contents of files.

 

Want to try it out but not ready to commit? Contact us for a demo version.