Digital Forensic SIFT'ing: Registry and Filesystem Timeline Creation

by Rob Lee

Over the years, being able to examine filesystem timeline data has truly been a breakthrough for many investigations. We started using this technique when we were working on cases in the AFOSI very early on when I wrote a script that would create a basic timeline called based off of the original coroner's toolkit. To my surprise, this key forensic capability that is found in the TCT tools, sleuthkit, andothershas not been picked up on by the major forensic vendors as a capability in their toolsets such as EnCase and FTK.

Today's post will discuss how to create a windows operating system timeline of both filesystem and registry data using the SIFT Digital Forensics Workstation.

What is computer