Windows MACB Timestamps (NTFS Forensics)

Описание к видео Windows MACB Timestamps (NTFS Forensics)

As a continuation of the "Introduction to Windows Forensics" series, this video introduces the concept of MACB (modification, access, MFT record change, birth/creation) timestamps associated with files on NTFS volumes. We will first cover the basics of MACB timestamps and the differences between the $STANDARD_INFORMATION and $FILE_NAME attributes; secondly, we will look at normal timestamp behavior on a Windows 10 system when creating, modifying, copying, and accessing files; next, we will use an anti-forensics tool known as “Timestomp” to modify a file’s MACB (MACE) timestamps; then we’ll use a tool called analyzeMFT to find evidence of timestomping; lastly, we’ll take a look at something interesting I recently discovered with regards to how these timestamps work when using the new Bash on Windows (Windows Subsystem for Linux) feature.

Introduction to Windows Forensics:
   • Introduction to Windows Forensics  

MAC Times:
http://forensicswiki.org/wiki/MAC_times

I’m Your MAC(b) Daddy:
https://www.defcon.org/images/defcon-...

Timestomp:
http://forensicswiki.org/wiki/Timestomp

analyzeMFT:
https://github.com/dkovar/analyzeMFT

Digital Forensics: Detecting Time Stamp Manipulation:
https://digital-forensics.sans.org/bl...

#Forensics #DigitalForensics #DFIR #ComputerForensics #WindowsForensics

Комментарии

Информация по комментариям в разработке