$INDX ($i30 Index Attributes) Analysis

Within the NTFS filesystem, the contents of directories are organized and stored using special index attributes, primarily $INDEX_ROOT (for small directories) and $INDEX_ALLOCATION (for larger directories). The most common index structure, often referred to by forensic tools using its attribute type identifier $i30, essentially acts as the directory's listing, containing metadata entries for each file and subdirectory residing within it. Each entry in a directory's $i30 index stores information derived from the corresponding item's $MFT $FILE_NAME attribute, including its name, MFT reference number, file attributes, file size, and a set of MACB timestamps mirroring the $FN timestamps.

Forensically, analyzing $i30 index attributes, particularly focusing on slack space and inactive entries, can yield evidence unavailable elsewhere:

• Deleted File Metadata Recovery: When a file is deleted, its entry in the parent directory's $i30 index is marked as inactive but often not immediately overwritten. Forensic tools can parse the B-tree structure of the index and its slack space (unused portions within allocated blocks) to carve out these inactive entries. This can recover metadata (filename, size, attributes, $FN timestamps) for files whose $MFT records might have been completely overwritten or are otherwise inaccessible, proving that a file with a specific name existed in that directory at some point.

• Timeline Reconstruction: The timestamps within $i30 entries reflect the file's $FN timestamps, providing another source for building timelines of file activity specifically within the context of their parent directories.

• Corroboration: Findings from $i30 analysis can corroborate evidence from $MFT and $UsnJrnl regarding file existence, naming, and timing within specific locations.

Specialized tools are typically required for effective $i30 analysis. INDXRipper (by Harel Segev) is a notable utility designed specifically to parse NTFS index attributes, including slack space, to recover metadata for both active and deleted files/directories. Running a command like INDXRipper.exe //./C: --deleted-dirs output.csv can carve deleted entries from drive C: into a CSV file suitable for analysis in Timeline Explorer. Advanced forensic suites also often include modules for parsing these index attributes.