This plugin has been designed as primarily as a classroom aid to assist in the examination of MFT records.

The script allows the user to bookmark the MFT record for the highlighted file, the MFT records for a maximum of 20 blue-checked files or folders, or the MFT record highlighted in the GUI (it's only necessary to highlight the first byte of any such record).

The script will bookmark each MFT-record's 'FILE' header, the first 4-bytes of each of its MFT record-attributes, and its 0xffffffff end-marker. Each attribute's length and instance-ID will be bookmarked. The latter can prove useful in identifying how the associated file has been manipulated. For example, it may corroborate the fact that the file has been renamed.

These bookmarks will be grouped into a sub-folder, one per each file/folder that's been processed.

Coupled with the MFT-record bookmarking functionality, the script provides the option to decode both single and multiple NTFS dataruns.

Prior to decoding, multiple dataruns must be highlighted from beginning to end. Only the first byte of a single datarun needs to be highlighted.

When decoding multiple dataruns, the script will assume that the first run marks the start of a file and calculate the starting cluster of each run accordingly.

Note that the datarun decoding functionality is designed to operate in isolation; it does not take fix-up sequences into account.

The script also has a highlighted-data bookmark function. This is similar to that provided by EnCase, but with the added benefit of being invokable using a keyboard shortcut.

The script will produce coloured bookmarks when run under EnCase 8.09 or later.

This script was developed for use in EnCase training. For more details, please click the following link:

• OpenText EnCase Training