TZWorks Windows INDX Slack Parser (wisp)


DFIR Tools

License Type
Forensic Utilities - Windows

is a prototype version of a Windows parser that targets NTFS index type attributes. The NTFS index attribute points to one or more NDX ecords. These records contain index entries that are used to account for each item in a directory. An index item represents either a file or a subdirectory and includes enough metadata to contain the name, modified/access/MFT changed/birth ( MACB ) timestamps, size (if it is a file vice subdirectory), as well as MFT entry numbers of the item and its parent. The wisp tool, in its simplest form, is able to walk these structures, read the metadata, and report which index entries are present.


User comments

There are no user comments for this listing.