File System & Disk Forensics

CRITICAL NTFS FORENSIC ARTIFACTS ══════════════════════════════════════════════════════ $MFT (Master File Table) → Every file and directory record → Timestamps: Created, Modified, Accessed, MFT Changed → Attribute list, file size, data runs $LogFile → Transaction log; file system changes $UsnJrnl → Change journal; every file operation (CRUD) $RECYCLE.BIN → Deleted files info (original path, deletion time) Prefetch (C:\Windows\Prefetch) → .pf files; records application execution history → File access timestamps, executable path Windows Registry → NTUSER.DAT → User-specific settings, recently opened files → SYSTEM hive → System configuration, timezone, USB history → SOFTWARE hive → Installed programs, autorun entries → SAM hive → Local user accounts and password hashes → SECURITY hive → Audit policies, cached credentials Event Logs (C:\Windows\System32\winevt\Logs) → Security.evtx → Logons (4624), logon failures (4625) → System.evtx → System events, service changes → Application → Application errors and events ══════════════════════════════════════════════════════

FILE SIGNATURE EXAMPLES (Magic Bytes) ────────────────────────────────────────── JPEG: FF D8 FF E0 (starts) | FF D9 (ends) PDF: 25 50 44 46 (%PDF) PNG: 89 50 4E 47 ZIP: 50 4B 03 04 EXE: 4D 5A (MZ) Tool: Foremost, Scalpel, PhotoRec (file carving) Autopsy, FTK, X-Ways (commercial suites)