/usr/share/artifacts/ntfs.yaml is in forensic-artifacts 20161022-1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 | # NTFS specific artifacts.
name: NTFSMFTFiles
doc: |
The NTFS $MFT and $MFTMirr file system metadata files.
GRR collection note: you currently need to specify 'use tsk' and
'ignore download size limits' for this artifact to work. This will go away in
the future.
sources:
- type: FILE
attributes:
paths:
- '%%environ_systemdrive%%\$MFT'
- '%%environ_systemdrive%%\$MFTMirr'
separator: '\'
labels: [System]
supported_os: [Windows]
|