This video is a continuation of the “Introduction to Windows Forensics” series, and picks up where we left off in the previous video (Windows MACB Timestamps). This time, we’ll take a look at NTFS index attributes, also known as $I30 files. First, we’ll cover the basic information you need to know about this important artifact. Then, we’ll walk through extraction of a $I30 file from a Windows 10 virtual machine, and analyze the contents of the index looking for evidence of deleted or overwritten files.
Introduction to Windows Forensics:
ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-VYROU-ZwZX8.html
Windows MACB Timestamps (NTFS Forensics):
ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-OTea54BelTg.html
NTFS INDX Parsing:
www.williballenthin.com/forensics/indx/
INDXParse:
github.com/williballenthin/INDXParse
NTFS $I30 Index Attributes: Evidence of Deleted and Overwritten Files:
forensicmethods.com/ntfs-index-attribute
#Forensics #DigitalForensics #DFIR #ComputerForensics #WindowsForensics
12 сен 2017