Tuesday, October 9, 2012
OMFW 2012: Reconstructing the MBR and MFT from Memory
This presentation introduced two new Volatility plugins: mbrparser and mftparser which will be released in Volatility 2.3. These plugins empower the investigator to explore possible MBR infections or in the case of mftparser, files that are in use on the system. There are real examples in the slides which you can view for yourself. You can find the mbrparser plugin in the Volatility 2.3 branch and the mftparser will appear there sometime soon. Feel free to send feedback.
Author/presenter: Jamie "Gleeda" Levy (@gleeda)
Direct link: Reconstructing the MBR and MFT from Memory