Bookmark and Decode exFAT Directory Entries
This script bookmarks the exFAT directory-entries for the highlighted file/folder or selected files/folders in the current view.
The script is primarily designed to allow the examiner to view exFAT timestamps taking into account the TZ offset for each one.
This method of analysis can help determine the location-history of the associated exFAT volume.
The output for a highlighted file/folder is in the form of a bookmark.
The script will also create a tab-delimted spreadsheet (with a CSV file-extension) if multiple files/folders are processed.
Note that the file-IDs shown in the spreadsheet will be those allocated by EnCase - exFAT does not allocated file-IDs.
For more information, please see the following Twitter post:
This script was developed for use in EnCase training. For more details, please click the following link:
Download Now