PaulDotCom mailing list archives
Forensic File Analysis
From: dphull at trustedsignal.com (Dave Hull)
Date: Wed, 17 Dec 2008 14:18:15 -0600
2008/12/10 Kevin Shortt <kevin.shortt at gmail.com>:
Any free tools out there that will preserve a windows file properties (access time, creator, etc..) for evidentiary purposes? Any and all leads/suggestions appreciated.
Sorry I'm late to the party. Windows files and their related metadata (permissions, timestamps, link counts, cluster chains, etc.) are stored in separate locations on the disk, except for NTFS with really small files. Given that, I'd use dd to make an image of the disk in question. Good luck. -- Dave Hull Trusted Signal Public key: http://trustedsignal.com/pubkey.txt Fingerprint: 4B2B F3AD A9C2 B4E1 CBDF B86F D360 D00F C18D C71B Mentoring SANS Security 508: Computer Forensics, Investigations and Response in Kansas City Details at http://www.sans.org/mentor/details.php?nid=14464
Current thread:
- Gonzor / Themiddler / PEScrambler, (continued)
- Gonzor / Themiddler / PEScrambler Nathan Sweaney (Dec 16)
- Gonzor / Themiddler / PEScrambler Tim Mugherini (Dec 16)
- Gonzor / Themiddler / PEScrambler Nils (Dec 16)
- Gonzor / Themiddler / PEScrambler Paul Asadoorian (Dec 16)
- Gonzor / Themiddler / PEScrambler Joel Esler (Dec 16)
- Gonzor / Themiddler / PEScrambler Adrian Crenshaw (Dec 16)
- Forensic File Analysis Strzelec, Wally (Dec 12)