Windows Timelines in Minutes

Explore Windows timelines and NTFS forensics in this comprehensive 57-minute conference talk from SecureWV/Hack3rcon 2016. Delve into the intricacies of NTFS file systems, learn to extract and analyze timestamp information, and master the creation of forensic timelines. Discover techniques for building databases, running queries, and visualizing data using LibreOffice Calc. Gain insights into how various file operations affect timestamps, including copying, accessing, modifying, deleting, renaming, and moving files across volumes. Equip yourself with practical skills to enhance your digital forensics capabilities and uncover crucial evidence in Windows-based investigations.

Syllabus

Intro
Windows Timelines in Minutes
What is this talk about?
Why should you care?
5 minute NTFS tutorial (cont.)
Part of the MFT entry for a root directory
More about NTFS Timestamps
Extract timestamp info
MACR retrieveal script overview
Create a database
Build that database
Create the table
Load the table from CSV file
Create & Populate timeline table
Run all the querries you want
Script to print a timeline
Example run of print-timeline.sh
Optional: Import into LibreOffice Calc
Viewing in Calc
Script to print timeline for each file
Example run of print-file-timeline.sh
Understanding Timestamps
Copying a File
Access a File
Modify a File (save contents)
Delete a File
Rename a File
Move a File (same volume)
Move a File (new volume)
Summary