Home Videos Windows MACB Timestamps (NTFS Forensics)

Windows MACB Timestamps (NTFS Forensics)


As a continuation of the “Introduction to Windows Forensics” series by Richard Davis, this video introduces the concept of MACB (modification, access, MFT record change, birth/creation) timestamps associated with files on NTFS volumes. You will first learn the basics of MACB timestamps and the differences between the $STANDARD_INFORMATION and $FILE_NAME attributes; secondly, you will look at normal timestamp behavior on a Windows 10 system when creating, modifying, copying, and accessing files; next, you will use an anti-forensics tool known as “Timestomp” to modify a file’s MACB (MACE) timestamps; then you’ll use a tool called analyzeMFT to find evidence of timestomping; lastly, you’ll take a look at something interesting Richard recently discovered with regards to how these timestamps work when using the new Bash on Windows (Windows Subsystem for Linux) feature.

Load More Related Articles
Load More In Videos

Leave a Reply

Your email address will not be published. Required fields are marked *