Pursue the Tracks
Personal Rating: Medium
We have a file z.mft
This is likely an ntfs master file table. We can use this tool to make the data readable:
Files are related to two years, which are those? (for example: 1993,1995)
> 2023,2024
can be seen in the dates
There are some documents, which is the name of the first file written? (for example: randomname.pdf)
> Final_Annual_Report.xlsx
First file created without a dollar sign
Which file was deleted? (for example: randomname.pdf)
> Marketing_Plan.xlsx
Active: Inactive as the only file
How many of them have been set in Hidden mode? (for example: 43)
> 1
The only file with a dollar sign in the name that has a file extension
Which is the filename of the important TXT file that was created? (for example: randomname.txt)
> credentials.txt
This one is obvious
A file was also copied, which is the new filename? (for example: randomname.pdf)
> Financial_Statement_draft.xlsx
?
Which file was modified after creation? (for example: randomname.pdf)
> Project_Proposal.pdf
The only file where the modification date is significantly later than the creation date
What is the name of the file located at record number 45? (for example: randomname.pdf)
> Annual_Report.xlsx
obvious
What is the size of the file located at record number 40? (for example: 1337)
WRONG: 376, 1024, 178, 121, 2013331456, 368, 170, 4103, 8, 262144, 1879113728, 1073741824, 78010000, 7801, 159, 0400, 400, 0178, 37
> 0xe000
This is how you would usually view the file size, but that does not apply here. Some 1-Byte error and the compression flag change the offset for the value and the Microsoft documentation is wrong.
I did not understand how to get the solution. The value 0xe000 resides in the DATA Attribute section.
Last updated