I am looking for a way to save a copy of the NTFS file system MFT to analyze the dates of last access to the files and also the complete list of files. I have thought about the use of DD to avoid having to mount the unit and not modify the date of the last access to the MFT (this I need to know when the disc was last used).
If possible I would also like to see the list of deleted files or be able to filter it by means of a command.
Is it possible to do this? Can this method be more practical to investigate the dates of last access or is it better for me to make a complete copy of the disk and analyze it with some software?
A quick google search leads to this:
You will need a sleuthkit tool, and analyzeMFT pip module
This will give us the mmls (not really needed) and icat tool
Let assume that
/dev/sdxis your disk. But you can adapt the command to run this on an image.which will gives you the offset of the NTFS partition, say 1107968
Then,
Then,
In case you have a disk image of your NTFS partition, this would be enough
I guess
Source
Sure, you can do this with RecuperaBit. As a disclaimer, I shall clarify that I am the developer.
After you've let it scan the drive or a disk image, type
recoverableto get a list of partitions, including deleted ones that can be reconstructed. Let's say your partition has id0you can then issue:For a CSV file, or:
For a body file which is compatible with
mactime.