dissect.target icon indicating copy to clipboard operation
dissect.target copied to clipboard
verified publisher icon fox-it

Feature/zone identifier

Open loaflover opened this issue 3 months ago • 0 comments

so, i cooked for a long time with this. i have a few things id like to say:

  1. extracting the mft file is hard. oof

  2. im not sure if i added enough test files. while i accommodated for all Zone identifier possible values, in my tests i only populated 3 of those, the (by far) most common ones.

  3. i used this: https://www.digital-detective.net/forensic-analysis-of-zone-identifier-stream/ for the possible values, but i also made it somewhat easy to add more

  4. i contemplated adding this to the MFT plugin, since they are similar in behavior, but i saw that all the mft plugin records are timestamp based, while this isnt

anyway, its been a blast writing, except for the hour in which i tried mounting an MFT file like a dumbass, hope this looks good (:

loaflover avatar Sep 28 '25 21:09 loaflover