This script is designed to parse the contents of NTFS index buffers.

The script can parse the index buffer highlighted by the user (identified by the header 'INDX'); alternatively it can search all or selected entries in the current view.

In addition to processing current index records the script will also search for deleted records (those located in the slack space of index buffers).

Be warned that searching for index buffers in file-system-objects other than current NTFS folders can cause problems; this is especially the case with $LOGFILE, which will often contain truncated index buffers.

Based on a script originally written by Howard 'Howie' Williamson.

For additional information, please see the following Twitter post:

• https://twitter.com/SimonDCKey/status/860460428224344064

This script was developed for use in EnCase training. For more details, please click the following link:

• OpenText EnCase Training