So, I was having lunch with my good friend Mike. Great guy. If you get a chance, take Mike to lunch. Anyway, we were discussing how EnCase doesn’t really give the user easy access to the MFT and there is some information in there that doesn’t get parsed by EnCase that could be useful to an examiner. So, on a bet, I built an EnScript to parse out the MFT record for all selected (blue checked) files. Mike had to pay for lunch and you get an EnScript.
Currently it just dumps info to the console. Next version will output to a series of sweeping bookmarks.