< Back
Get-ForensicMftSlack
Post
NAME Get-ForensicMftSlack
SYNOPSIS
Gets the Master File Table (MFT) slack space for the specified volume.
SYNTAX
Get-ForensicMftSlack [[-Index] <Int32>] [-VolumeName <String>] [<CommonParameters>]
Get-ForensicMftSlack [-Path] <String> [<CommonParameters>]
Get-ForensicMftSlack -MftPath <String> [<CommonParameters>]
DESCRIPTION
The Get-ForensicMftSlack cmdlet returns a byte array representing the slack space found in Master File Table (MFT)
records.
Each MFT File Record is 1024 bytes long. When a file record does not allocate all 1024 bytes, the remaining bytes
are considered "slack." To compute slack space, compare the AllocatedSize and RealSize properties of a FileRecord
object.
Except as noted, the cmdlets in the PowerForensics module require the permissions of a member of the
Administrators group on the computer. To run them, start Windows PowerShell with the 'Run as administrator' option.
PARAMETERS
-VolumeName [<String>]
Specifies the name of the volume or logical partition.
Enter the volume name in one of the following formats: \\\\.\\C:, C:, or C.
Required? false
Position? named
Default value \\\\.\\C:
Accept pipeline input? false
Accept wildcard characters? false
-Index [<Int32>]
The index of the MFT entry to return MFT slack space for.
Required? false
Position? 0
Default value
Accept pipeline input? false
Accept wildcard characters? false
-Path <String>
The path to the file to return MFT slack space for.
Required? true
Position? 0
Default value
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-MftPath <String>
Path to an exported Master File Table.
Required? true
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (https:/go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
System.String
OUTPUTS
System.Byte[]
-------------------------- EXAMPLE 1 --------------------------
[ADMIN]: PS C:\\>Get-ForensicMftSlack -VolumeName C:
This command uses Get-ForensicMftSlack to get slack space from the $MFT file on the C:\\ logical volume.
-------------------------- EXAMPLE 2 --------------------------
[ADMIN]: PS C:\\>Get-ForensicMftSlack -VolumeName C: -Index 24212
This command uses Get-ForensicMftSlack to get the slack space from the MFT record at index 24212 on the C:\\
logical volume.
-------------------------- EXAMPLE 3 --------------------------
[ADMIN]: PS C:\\>Get-ForensicMftSlack -Path C:\\Windows\\system32\\cmd.exe
This command uses Get-ForensicMftSlack to get the slack space on the Cmd.exe MFT record.
-------------------------- EXAMPLE 4 --------------------------
[ADMIN]: PS C:\\>Get-ForensicMftSlack -MftPath C:\\evidence\\MFT
This command uses Get-ForensicMftSlack to get the MFT slack space from an exported Master File Table.
RELATED LINKS
SYNOPSIS
Gets the Master File Table (MFT) slack space for the specified volume.
SYNTAX
Get-ForensicMftSlack [[-Index] <Int32>] [-VolumeName <String>] [<CommonParameters>]
Get-ForensicMftSlack [-Path] <String> [<CommonParameters>]
Get-ForensicMftSlack -MftPath <String> [<CommonParameters>]
DESCRIPTION
The Get-ForensicMftSlack cmdlet returns a byte array representing the slack space found in Master File Table (MFT)
records.
Each MFT File Record is 1024 bytes long. When a file record does not allocate all 1024 bytes, the remaining bytes
are considered "slack." To compute slack space, compare the AllocatedSize and RealSize properties of a FileRecord
object.
Except as noted, the cmdlets in the PowerForensics module require the permissions of a member of the
Administrators group on the computer. To run them, start Windows PowerShell with the 'Run as administrator' option.
PARAMETERS
-VolumeName [<String>]
Specifies the name of the volume or logical partition.
Enter the volume name in one of the following formats: \\\\.\\C:, C:, or C.
Required? false
Position? named
Default value \\\\.\\C:
Accept pipeline input? false
Accept wildcard characters? false
-Index [<Int32>]
The index of the MFT entry to return MFT slack space for.
Required? false
Position? 0
Default value
Accept pipeline input? false
Accept wildcard characters? false
-Path <String>
The path to the file to return MFT slack space for.
Required? true
Position? 0
Default value
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-MftPath <String>
Path to an exported Master File Table.
Required? true
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (https:/go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
System.String
OUTPUTS
System.Byte[]
-------------------------- EXAMPLE 1 --------------------------
[ADMIN]: PS C:\\>Get-ForensicMftSlack -VolumeName C:
This command uses Get-ForensicMftSlack to get slack space from the $MFT file on the C:\\ logical volume.
-------------------------- EXAMPLE 2 --------------------------
[ADMIN]: PS C:\\>Get-ForensicMftSlack -VolumeName C: -Index 24212
This command uses Get-ForensicMftSlack to get the slack space from the MFT record at index 24212 on the C:\\
logical volume.
-------------------------- EXAMPLE 3 --------------------------
[ADMIN]: PS C:\\>Get-ForensicMftSlack -Path C:\\Windows\\system32\\cmd.exe
This command uses Get-ForensicMftSlack to get the slack space on the Cmd.exe MFT record.
-------------------------- EXAMPLE 4 --------------------------
[ADMIN]: PS C:\\>Get-ForensicMftSlack -MftPath C:\\evidence\\MFT
This command uses Get-ForensicMftSlack to get the MFT slack space from an exported Master File Table.
RELATED LINKS