EricZimmerman wrote:
In short, I am asking for the community's feedback to ensure that osT2
covers the widest possible number of use cases for as many people as
possible, so if you have any suggestions on what you would like to see
in such a tool, please let me know.
Perhaps the best way to provide feedback is via my forums...
Ok, Eric, here's a suggestion. I'd like to see a feature or plugin that identifies candidates to have been copied from a FAT system, by flagging modified times that are even whole seconds. (Does osTriage support NSRL hash tables?) The distinction between whether a file was downloaded, edited on the host computer, or copied from a flash drive has been relevant in several of my cases.
What's the URL for your forums?
↧