NTFS is probably the most common source of timestamps that an analyst will have to deal with, so it is important to ensure that timestamp translation is correct. I will also some present some test results from applying the tests to different tools.įor the moment, I am concerned only with NTFS file timestamps. My primary purpose this article is to present a simple design of test data suitable for determining if there are errors or problems in how a particular tool performs these operations. If there are any errors in this step, the result will clearly be less reliable than expected. As these timestamps usually are stored in some internal format, additional software is needed to interpret them and translate them into a format an analyst can easily understand. File and directory timestamps are one of the resources forensic analysts use for determining when something happened, or in what particular order a sequence of events took place.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |