How to extract data and timeline from Master File Table on NTFS filesystem

The most important file in a NTFS filesystem

During a forensics analysis, after evidence acquisition, the investigation starts by doing a timeline analysis, that extract from the images all information on when files were modified, accessed, changed and created.

Continue reading “How to extract data and timeline from Master File Table on NTFS filesystem”