The Case of the Missing MFT Entry
A bit ago, I received an email from someone mentioning the following facts with respect to an examination they were doing:
- Malware was suspected as having been running at one point on a Windows XP SP2 system
- A Prefetch file was found the related directly to the malware
- AV logs indicated that the malware had been deleted
- An XP Restore Point included an INI specific to the malware
- Between the time that the malware had been deleted and the system imaged, 8 Restore Points were created
Given these facts, the question was...why does there appear to be no MFT entry for the malware file?
I responded with my answer...I want to know what YOU think.
- Malware was suspected as having been running at one point on a Windows XP SP2 system
- A Prefetch file was found the related directly to the malware
- AV logs indicated that the malware had been deleted
- An XP Restore Point included an INI specific to the malware
- Between the time that the malware had been deleted and the system imaged, 8 Restore Points were created
Given these facts, the question was...why does there appear to be no MFT entry for the malware file?
I responded with my answer...I want to know what YOU think.