Process:

• Open FTK Imager

• Add evidence item

• Pick physical drive

• Expand the partition 4 tab

• Expand the NONAME(NTFS)

• Click root

• Click on the $MTF file

• Left click and press find to locate any file in the MFT

• Small resident files and folders (typically, 900 bytes or smaller) are entirely contained within the file's MFT record. Small files and directories (typically 1,500 bytes or smaller) are entirely contained within the file's MFT record. 00-00 is a resident

• 00-01 is the non resident

• 80 after 4 bytes is the file size, when the file was created, modified, and when the last file access was

• all those attributes that can be made non-resident are moved out of the MFT. If there is still not enough room, then an $ATTRIBUTE_LIST attribute is needed. The remaining attributes are placed in a new MFT record and the $ATTRIBUTE_LIST describes where to find them. It is very unusual to see this attribute.

• Non-resident attributes are stored in intervals of clusters called runs. Each run is represented by its starting cluster and its length. The starting cluster of a run is coded as an offset to the starting cluster of the previous run. Normal, compressed, and sparse files are all defined by runs.

• Data runs:

1. 8 34 56 00

2. 21 18 34 56 - 00 (regrouped)

• Run 1:

Header = 0x21 - 1 byte length, 2 byte offset

Length = 0x18 (1 byte)

Offset = 0x5634 (2 bytes)

• Run 2:

Header = 0x00 - the end

• Summary:

0x18 Clusters @ LCN 0x5634