Best way to collect $MFT, $UsnJrnl and $LogFile #488
-
|
Hi. What would be a easy way to search for all volumes present when running KAPE and collect the mentioned files above? |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 3 replies
-
|
why do you say that? just because the target references C:$MFT does not mean you cannot collect ANY volume. This is what --tsource is for. if you do then KAPE will collect D:$MFT KAPE does all the work of updating things from the target definition based on what you pass in via --tsource. we always reference C:\ as the start for all files to keep it simple and consistent. if you wanted ALL file systems you would need to write a simple powershell script or similar to:
thats it. |
Beta Was this translation helpful? Give feedback.
-
|
ah got it. sorry it's monday. I usually only collect data on workstations and it's my first need to collect data on a file server. ill give it a go! |
Beta Was this translation helpful? Give feedback.
-
|
to make things easier can I just create a new tkape file and specify all drive letters that are possible and if found kape will copy them? |
Beta Was this translation helpful? Give feedback.
-
|
nope. that wont work. regardless of what you put there, kape updates each path with what you send in via --tsource |
Beta Was this translation helpful? Give feedback.
-
|
got it, ty! |
Beta Was this translation helpful? Give feedback.
why do you say that? just because the target references C:$MFT does not mean you cannot collect ANY volume. This is what --tsource is for.
if you do
then KAPE will collect D:$MFT
KAPE does all the work of updating things from the target definition based on what you pass in via --tsource.
we always reference C:\ as the start for all files to keep it simple and consistent.
if you wanted ALL file systems you would need to write a simple powershell script or similar to:
thats it.