Get-ForensicMftSlack
SYNOPSIS
Gets the Master File Table (MFT) slack space for the specified volume.
SYNTAX
ByIndex
Get-ForensicMftSlack [-VolumeName <String>] [[-Index] <Int32>]
ByPath
Get-ForensicMftSlack [-Path] <String>
ByMftPath
Get-ForensicMftSlack -MftPath <String>
DESCRIPTION
The Get-ForensicMftSlack cmdlet returns a byte array representing the slack space found in Master File Table (MFT) records.
Each MFT File Record is 1024 bytes long. When a file record does not allocate all 1024 bytes, the remaining bytes are considered "slack". To compute slack space, compare the AllocatedSize and RealSize properties of a FileRecord object.
Except as noted, the cmdlets in the PowerForensics module require the permissions of a member of the Administrators group on the computer. To run them, start Windows PowerShell with the 'Run as administrator' option.
EXAMPLES
Example 1
[ADMIN]: PS C:\> Get-ForensicMftSlack -VolumeName C:
This command uses Get-ForensicMftSlack to get slack space from the $MFT file on the C:\ logical volume.
Example 2
[ADMIN]: PS C:\> Get-ForensicMftSlack -VolumeName C: -Index 24212
This command uses Get-ForensicMftSlack to get the slack space from the MFT record at index 24212 on the C:\ logical volume.
Example 3
[ADMIN]: PS C:\> Get-ForensicMftSlack -Path C:\Windows\system32\cmd.exe
This command uses Get-ForensicMftSlack to get the slack space on the Cmd.exe MFT record.
Example 4
[ADMIN]: PS C:\> Get-ForensicMftSlack -MftPath C:\evidence\MFT
This command uses Get-ForensicMftSlack to get the MFT slack space from an exported Master File Table.
PARAMETERS
-Index
The index of the MFT entry to return MFT slack space for.
Type: Int32
Parameter Sets: ByIndex
Aliases:
Required: False
Position: 0
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-MftPath
Path to an exported Master File Table.
Type: String
Parameter Sets: ByMftPath
Aliases:
Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-Path
The path to the file to return MFT slack space for.
Type: String
Parameter Sets: ByPath
Aliases: FullName
Required: True
Position: 0
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False
-VolumeName
Specifies the name of the volume or logical partition.
Enter the volume name in one of the following formats: \.\C:, C:, or C.
Type: String
Parameter Sets: ByIndex
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False