My name is John-Michael Harkness, I currently work with the Centre for Cybercrime of Investigation at University College Dublin. My past project involved mobile phone forensics, and it was in this area I did an MSc in Computer Forensics by research, at this time I also completed many of the taught modules belonged to the MSc in Digita lnvestigation. In July of 2010 I started a new projected funded by Enterprise Ireland and Supervised by Dr. Pavel Gradyshev. The purpose of my current position is to develop a forensic tool, incorporating many techniques and algorithms developed by UCD Centre for Cybercrime Investigations research students. The end goal is to develop a forensic tool or marketable quality.
My Current task involves parsing the NTFS filesystem, my goal is to use this blog to record much of what I learn during this process. Although the parsing of the NTFS is not a new feet, it is unfortunately a step that still has to be taken as no open source solutions exist that currently meet our needs.
My first post is underway and will concentrate on NTFS’s $ATTRIBUTE_LIST, I understand this Is jumping a bit ahead of the normal NTFS introductions, but I feel since the $ATTRIBUTE_LIST is my current area of focus in my development, it is a logical starting point, at least for me. I do however hope to go back to the beginning, detailing the general layout of the NTFS filesytem, the MFT file record and the attributes contained within.
If you have any questions, advice or notice any mistakes in my posts please feel free to contact me. Hope you look back soon.