Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Get-ForensicFileRecord] -Deleted switch parameter #138

Open
jaredcatkinson opened this issue Feb 8, 2016 · 1 comment
Open

[Get-ForensicFileRecord] -Deleted switch parameter #138

jaredcatkinson opened this issue Feb 8, 2016 · 1 comment
Assignees
@jaredcatkinson
Labels
enhancement ready

Comments

@jaredcatkinson
Copy link
Member

Add -Deleted parameter to Get-ForensicFileRecord which will only return the records of deleted files.
@jaredcatkinson jaredcatkinson self-assigned this Feb 8, 2016
@jaredcatkinson
Copy link
Member Author

This should look into parsing the $MFT file's Bitmap values. I believe they are used by the File System to determine what MFT File Records are "unallocated" and thus representing deleted files.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jaredcatkinson jaredcatkinson

Labels
enhancement ready
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jaredcatkinson