file system

This tag is associated with 4 posts

Linux Timestamps, Oh boy!

Timestamps are critical for analysts; they usually deal with different filesystems and understanding how the file timestamps work on each is crucial to what they do. If you do an online search for linux timestamps, you’ll get ton of information but the idea here is to put together different common file operations such as move, … Continue reading

ForGe – Computer Forensic Test Image Generator

Introduction Creating test material for computer forensic teaching or tool testing purposes has been a known problem. I encountered the issue in my studies of Computer Forensics at the University of Westminster. We were assigned a task to compare computer forensic tools and report results. Having already analysed test images by Brian Carrier ( over … Continue reading

Windows Vista – notes for forensic examiners (part two)

This article was first published in 2007 at and is reprinted with permission by Jamie Morris Forensic Focus ( Intro In part one of this series [ref 1] we looked at the different editions of Vista available and discussed the various encryption and backup features which might be of interest to forensic examiners. In … Continue reading

Analysis of hidden data in the NTFS file system

First published January 2006 Cheong Kai Wee Edith Cowan University Abstract Criminals with sensitive information such as crime records tend to hide/encrypt this information so that even if their computers are collected by police department, there is no evidence that can be used against them. There are many ways data can be hid. The … Continue reading

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 1,261 other followers