Timeline Analysis OLD
Log 2 Timeline CheatSheet
Registry Hive Microsoft Registry Hive Explanation
Ram Slack - File Slack One More
NTFS File Structure
1) Forensics Basics - Breach Detection (Useful)
2) Linux Inode
3) Fat and Fat Directory Entries
4) Fat12
Offset and Advances Stuff
RSA is a protocol which is used for signing or encryption. On the other hand,
Diffie-Hellman is a protocol which is used for exchange of key. Also, the RSA
will expect that you have all the key materials with you beforehand, which is
not the case with Diffie-Hellman.
NTFS divides all useful place into clusters - data blocks used at a time.
NTFS supports almost all sizes of clusters - from 512 bytes up to 64 KBytes.
The 4 KBytes cluster is considered to be some standard.
Modify is the time-stamp of the last time the file's content has been modified.
This is called "mtime".
"Change" is the time-stamp of the last time the file's inode has been changed, like by changing
permissions, ownership, file name, number of hard links. It's often called "ctime".
How would you be able to tell at the hex level that a file has been deleted in FAT12?
Run fsstat against the FAT partition to gather details. Run fls to get information about the image files. This will return information about deleted files and the metatdata information.
Comments
Post a Comment