Category Timeline

Timestamp Anomalies – $MFT

Going through my SANS 508 material I decided to have a closer look at some of the material on the Master File Table ($MFT) in the NTFS file system and how the analysis of it can be used to detect timestamp anomalies (Timestomping)

The first thing I wanted to do was extract my MFT so I can then run a tool against it for...

Read More

Timeline Creation – Part 2 (Super Timeline)

As promised in my previous blog post I would be moving on to create a Super Timeline and my reasons for carrying this out after the filesystem timeline is purely down to the time it takes to process.

The super timeline is a suitable name as it is a very powerful analysis tool...

Read More

Timeline Creation – Part 1 (Filesystem Timeline)

As I mentioned previously I am currently studying for my GCFA (GIAC Certified Forensic Analyst) exam and as part of my revision I am completing the exercises in the workbook.

One area I am enjoying very much is the timeline process...

Read More