SANS Digital Forensics and Incident Response Blog: Tag - unallocated

Timestamped Registry & NTFS Artifacts from Unallocated Space

Frequently, while following up a Windows investigation, I will add certain filenames or other string values to my case wordlist and subsequently find these strings embedded in binary data of one type or another in unallocated space. Close examination of the surrounding data structures has shown that these are often old MFT entries, INDX structures, or registry keys or values. The thing that makes these things very interesting from a forensic perspective is that all of them but registry values incorporate Windows timestamps. (All timestamps referenced in this article are 64bit Windows filetime values.) Even registry values often follow closely after their parent keys in the registry, which do have associated timestamps. Once I'd noticed these key facts, it occurred to me that it would be useful to use the timestamp values to work backward to other associated data, and hence the genesis of this


FAT Directory Entry repair

This is the third installment in a series of posts about FAT file systems. We're using the usbkey.img file that's given to students of SANS Sec. 508. The image has been altered by the suspect. Our goal is to return it to it's unaltered state.

In the second post, we gathered some information about the files on the image and using a hex editor took a look at the two metadata structures for FAT file systems, the FAT Directory Entry and the