Forensics: Viewing the MFT in EnCase

To view the MFT in EnCase in the most efficient manner, you should view it in a 1024 text style.  The steps below show how to do this. The attached PDF includes screen shots.

  1. Create a new text style in the “Text Style” panel. 
  2. Once in the Text Style “Attributes” section, do the following
    1.  Enter the Name of the style. The name is only for reference, and does not affect the view itself.
    2. Set the Line Wrap to Max Size
    3. Set the Wrap length to 1024
    4. Then select the “Code Page”
  3. In the code page select Western European ISO. Then press OK. 
  4. Then view the $MFT in text, and all the MFT headers should line up correctly
     
Advertisements

2 Responses to “Forensics: Viewing the MFT in EnCase”

  1. Forensics: MFT FILE* and FILE0 « Data - Where is it? Says:

    […] the article on “How to view the MFT in EnCase” the MFT shown is FILE0, meaning the drive was formatted with Windows XP or a newer […]

  2. Forensics: What is the MFT Mirror? « Data – Where is it? Says:

    […] MFT Mirror can be viewed, like the MFT in EnCase, using the correct text […]


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: