Home Videos Windows MACB Timestamps (NTFS Forensics)

Windows MACB Timestamps (NTFS Forensics)


As a continuation of the “Introduction to Windows Forensics” series by Richard Davis, this video introduces the concept of MACB (modification, access, MFT record change, birth/creation) timestamps associated with files on NTFS volumes. You will first learn the basics of MACB timestamps and the differences between the $STANDARD_INFORMATION and $FILE_NAME attributes; secondly, you will look at normal timestamp behavior on a Windows 10 system when creating, modifying, copying, and accessing files; next, you will use an anti-forensics tool known as “Timestomp” to modify a file’s MACB (MACE) timestamps; then you’ll use a tool called analyzeMFT to find evidence of timestomping; lastly, you’ll take a look at something interesting Richard recently discovered with regards to how these timestamps work when using the new Bash on Windows (Windows Subsystem for Linux) feature.

Load More Related Articles
Load More In Videos


  1. 3connected

    December 30, 2021 at 10:34 pm


  2. 1washstand

    January 12, 2022 at 11:35 pm


  3. gay black and white men dating https://gaypridee.com/

  4. live video streaming gay chat

    January 14, 2022 at 5:43 pm

    gay sex chat rooms https://gaytgpost.com/

  5. gay/bi dating apps

    January 15, 2022 at 12:45 pm

    minneapolis gay dating https://speedgaydate.com/