chip-dfir.techanarchy.net
Timestamp Anomalies – $MFT
Going through my SANS 508 material I decided to have a closer look at some of the material on the Master File Table ($MFT) in the NTFS file system and how the analysis of it can be used to detect t…