Fun and games with Windows FILETIME and how to efficiently detect timestamp alterations
Interesting article by Lance Mueller on Filestamps (NTFS and FAT).
” .. an examiner should be familiar how the time values are stored on NTFS volumes AND the need to examine these dates manually, since many of the common forensic tools do not display the dates with any precision beyond one second, when there is any suspicion of tampering .. ”
Lance Mueller, ForensicKB, 21 January 2011
http://www.forensickb.com/2011/01/fun-and-games-with-windows-filetime-and.html – last access 23 January 2011 – ( Full Article )
This entry was posted on January 23, 2011 by cobramark3. It was filed under Analysis, Filetime, Timestamps, Timestomp and was tagged with Computer Forensics, Digital Forensics, Filetime, MFT, NTFS, Timestomp.
Comments are closed.