    by Published on 22nd June 2010 15:49  Number of Views: 41537 
    A brief history of time stamps


    There are various methods of recording dates and times on computers and computing devices and as a forensic investigator it is useful to understand the main formats and also to have an understanding of why dates are stored in the way that they are. For those of us who like to delve a little deeper into file formats some familiarity with how these dates ‘look’ in a hex dump can help when reverse engineering a new file format.

    During this short discourse I will be presenting screenshots taken using software developed by Sanderson Forensics – RevEnge. ...
    by Published on 29th April 2010 08:38  Number of Views: 19416 
    2. LinkAlyzer
    How do I determine whether a file has been moved from one volume to another

    One of the structures found in some link files is the ObjectID, these structures relate to Distributed Link Tracking (see further reading below). Microsoft has in certain circumstances chosen to embed data within link files for use with its this Distributed Link Tracker Service. This information includes data relating to the original machine on which the target was created – the birth machine and the current machine. There are four relevant structures:

    • NewVolID
    • NewFileOID
    • BirthVolID
    • BirthFileOID