PaulDotCom mailing list archives

Forensic File Analysis

From: dphull at trustedsignal.com (Dave Hull)
Date: Wed, 17 Dec 2008 14:18:15 -0600

2008/12/10 Kevin Shortt <kevin.shortt at gmail.com>:

Any free tools out there that will preserve a windows file properties
(access time, creator, etc..) for evidentiary purposes?

Any and all leads/suggestions appreciated.


Sorry I'm late to the party. Windows files and their related metadata
(permissions, timestamps, link counts, cluster chains, etc.) are
stored in separate locations on the disk, except for NTFS with really
small files. Given that, I'd use dd to make an image of the disk in
question.

Good luck.

-- 
Dave Hull
Trusted Signal
Public key: http://trustedsignal.com/pubkey.txt
Fingerprint: 4B2B F3AD A9C2 B4E1 CBDF  B86F D360 D00F C18D C71B

Mentoring SANS Security 508: Computer Forensics, Investigations and
Response in Kansas City
Details at http://www.sans.org/mentor/details.php?nid=14464

Current thread:

Gonzor / Themiddler / PEScrambler, (continued)
- - - Gonzor / Themiddler / PEScrambler Nathan Sweaney (Dec 16)
    - Gonzor / Themiddler / PEScrambler Tim Mugherini (Dec 16)
    - Gonzor / Themiddler / PEScrambler Nils (Dec 16)
    - Gonzor / Themiddler / PEScrambler Paul Asadoorian (Dec 16)
    - Gonzor / Themiddler / PEScrambler Joel Esler (Dec 16)
    - Gonzor / Themiddler / PEScrambler Adrian Crenshaw (Dec 16)
- Forensic File Analysis Brian Seel (Dec 10)
- Forensic File Analysis Mad Marv (Dec 10)
- Forensic File Analysis Kevin Shortt (Dec 12)
  - Forensic File Analysis Strzelec, Wally (Dec 12)
- Forensic File Analysis Dave Hull (Dec 17)
- Forensic File Analysis iamnowonmai at gmail.com (Dec 10)