tootypeg wrote:
Yer i see your points. Its answered alot of my questions and thoughts about this topic to be honest. I was just after a little research project and wondered if there was anything I could dig around in with relation to deleted files. Shame!
BUT once said all the above, on modern NTFS most probably a "what was deleted when" tool possibly combining a $MFT analysis with $UsnJrnl and $LogFile would provide a (maybe time limited) window on the past.
It won't be a quick triage method, but it will have some practical use, we are shifting from "what the OS/filesystem usually does (and analyze this statistically or evaluate the probabilities of events)" to "what actually happened and can be documented on this specific OS and filesystem".
This would be a good start point:
http://www.forensicfocus.com/Forums/viewtopic/t=10560/
https://github.com/jschicht
jaclaz
↧