NTFS Journal Forensics

Опубликовано: 05 Август 2019
на канале: 13Cubed
19,866
377

🛑 IMPORTANT! 🛑
Triforce ANJP is no longer available. After you've watched this episode, please check out "Introduction to MFTECmd" which covers the same information in greater detail, and highlights an alternative tool to parse these artifacts. The episode is available here:    • Introduction to MFTECmd - NTFS MFT an...  

As a continuation of the "Introduction to Windows Forensics" series, this episode covers file system journaling in NTFS. From a forensics perspective, there's a large amount of information that can be gleaned from this data, including one of the only ways we can prove if and when something was deleted from an NTFS volume. We'll take a look at the $MFT and the two different journals maintained by this file system ($UsnJrnl and $LogFile), and highlight the differences between them. Then, we'll learn how to use Triforce ANJP to parse these important artifacts.

** If you enjoy this video, please consider supporting 13Cubed on Patreon at patreon.com/13cubed. **

Triforce ANJP Free Edition:
No Longer Available.

Background Music Courtesy of Anders Enger Jensen:
   / hariboosx  

#Forensics #DigitalForensics #DFIR #ComputerForensics #WindowsForensics


Смотрите видео NTFS Journal Forensics онлайн без регистрации, длительностью часов минут секунд в хорошем качестве. Это видео добавил пользователь 13Cubed 05 Август 2019, не забудьте поделиться им ссылкой с друзьями и знакомыми, на нашем сайте его посмотрели 19,86 раз и оно понравилось 37 людям.