Using MFT anomalies to spot suspicious files in forensic analysis

A typical NTFS filesystem contains hundreds of thousands of files.

Each file has its own $MFT entry, and all $MFT entries are given a sequential address starting from zero, zero being the $MFT entry itself.

Continue reading “Using MFT anomalies to spot suspicious files in forensic analysis”