MAC(b) times in Windows forensic analysis

Essential information during timeline analysis   During a forensic analysis, especially during timeline analysis, you deal with MAC timestamps, so it’s important to know and understand the concept of time resolution. The MAC(b) times are derived from file system metadata and they stand for: Modified Accessed Changed ($MFT Modified) Birth (file creation time) The (b) is…

Volume Shadow Copies in forensic analysis

Integral part to the Windows Operating System and essential for DFIR analysts Shadow Copy (also known as Volume Snapshot Service, Volume Shadow Copy Service or VSS) is a technology included in Microsoft Windows that allows taking manual or automatic backup copies or snapshots of computer files or volumes, even when they are in use. It is…

PowerForensics: a PowerShell framework for hard drive forensic analysis

Simple to install and with a lot of features The purpose of PowerForensics is to provide an all inclusive framework for hard drive forensic analysis. PowerForensics currently supports NTFS and FAT file systems, and work has begun on Extended File System and HFS+ support. PowerForensics is built on a C# Class Library (Assembly) that provides an…

Linux Distributions for forensics investigation: my own list

A shortlist of six distribution…guess my favorite! During a digital forensics analysis, a lot of different tools can be used, and it could be useful use a dedicated linux distribution with all tools already installed and configured. Here a brief list of my choises. Computer Aided Investigative Environment (CAINE) CAINE offers a complete forensic environment…