Making Filename Attribute Timeline

Honestly, Timeline function of EnCase is impractical. So when I wanna make a timeline, I always use Timeline Report EnScript written by Geoff Black. This EnScript is very nice! I modified it to add NTFS Filename (FN) Attribute timestamps to timeline. Checking FN Attribute timestamps prevents malwares from concealing from timeline analysis by changing Standard Information (SI) Attribute timestamps like Metasploit Timestomp.

If you wanna enable the extended function, check "Check FNA Timestamps?" box.

The EnScript outputs FNA timestamps only when output format is HTML because I don't use other ouput options ;-)


You can differentiate Filename Attribute timestamps in the timeline from "Full Path" and cell color.  "Full Path" includes "[FN]" string and cell color is green if the entry is FNA timestamps.
I recommend narrowing down target files since it takes a certain amount of time.

轉自 CCI

0 意見: