Home Videos Windows MACB Timestamps (NTFS Forensics)

Windows MACB Timestamps (NTFS Forensics)


As a continuation of the “Introduction to Windows Forensics” series by Richard Davis, this video introduces the concept of MACB (modification, access, MFT record change, birth/creation) timestamps associated with files on NTFS volumes. You will first learn the basics of MACB timestamps and the differences between the $STANDARD_INFORMATION and $FILE_NAME attributes; secondly, you will look at normal timestamp behavior on a Windows 10 system when creating, modifying, copying, and accessing files; next, you will use an anti-forensics tool known as “Timestomp” to modify a file’s MACB (MACE) timestamps; then you’ll use a tool called analyzeMFT to find evidence of timestomping; lastly, you’ll take a look at something interesting Richard recently discovered with regards to how these timestamps work when using the new Bash on Windows (Windows Subsystem for Linux) feature.

Load More Related Articles
  • Digital Forensics Tutorials by AccessData

    AccessData has published a bunch of videos on its YouTube channel. You’ll learn abou…
  • Triage Image Creation

    This episode of “Introduction to Windows Forensics” covers triage image creati…
  • Juicy PDFs

    This new video is the next episode of “Introduction to Malware Analysis” serie…
Load More In Videos

Leave a Reply

Your email address will not be published. Required fields are marked *