Windows Time Rule for Digital Forensic

4 years ago by 0

There are some common rules for windows time rule for $Standard_Information and $Filename. Here is the table for those common rules.

This below table (created by SANS) is the rule for MACB/E (Modified , Access, Create/Change, and Birth/Entry) timestamps.

Usually, $FILENAME information is hardly modified/timestomped. So this information can be useful for doing a forensic for Windows file.

0 0 votes
Article Rating
Tags: , ,


We are teams that have the same hobbies in Information Technologies and have experienced in many fields regarding Information Technologies .

Recent Articles

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
© 2024 JaringanKita – Technology For All. All rights reserved. Entries RSS · Comments RSS
3
0
Would love your thoughts, please comment.x
()
x