PaulDotCom mailing list archives

Forensic File Analysis

From: iamnowonmai at gmail.com (iamnowonmai at gmail.com)
Date: Thu, 11 Dec 2008 00:26:34 +0000

TSK will help you compile a timeline, (autopsy is primarily built on the  
sleuthkit tools) mactime, macrobber are the commands you might use here, on  
a dd image of the original drive - as someone mentioned above. Not sure  
with the information given what the state of the evidence is - and how  
reliable it is, though.

Might I also recommend the excellent SANS SEC504 File System Forensics  
course? Don't forget to register via the
pauldotcom link. :)

I actually *do* hold a GCIH and GCFA, although I am primarily known for  
just being lame. :)

iamnowonmai

On Dec 10, 2008 4:30pm, Kevin Shortt <kevin.shortt at gmail.com> wrote:

Any free tools out there that will preserve a windows file properties

(access time, creator, etc..) for evidentiary purposes?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20081211/90c30bad/attachment.htm

Current thread:

Gonzor / Themiddler / PEScrambler, (continued)
- - - Gonzor / Themiddler / PEScrambler Tim Mugherini (Dec 16)
    - Gonzor / Themiddler / PEScrambler Nils (Dec 16)
    - Gonzor / Themiddler / PEScrambler Paul Asadoorian (Dec 16)
    - Gonzor / Themiddler / PEScrambler Joel Esler (Dec 16)
    - Gonzor / Themiddler / PEScrambler Adrian Crenshaw (Dec 16)
- Forensic File Analysis Brian Seel (Dec 10)
- Forensic File Analysis Mad Marv (Dec 10)
- Forensic File Analysis Kevin Shortt (Dec 12)
  - Forensic File Analysis Strzelec, Wally (Dec 12)
- Forensic File Analysis Dave Hull (Dec 17)
- Forensic File Analysis iamnowonmai at gmail.com (Dec 10)