36 lines
1.1 KiB
Python
36 lines
1.1 KiB
Python
def get_content():
|
|
"""
|
|
Returns structured content for NTFS, journaling, and anti-forensics artifacts.
|
|
"""
|
|
return [
|
|
{
|
|
"title": "NTFS Metadata and Attributes",
|
|
"content": """
|
|
- MFT Attributes: Tracks MAC timestamps, $File_Name, $Data (resident or non-resident).
|
|
- $LogFile and $UsnJrnl: Log file changes and deletions.
|
|
"""
|
|
},
|
|
{
|
|
"title": "Timeline Analysis",
|
|
"content": """
|
|
- $SI and $FN timestamps: Can indicate timestomping or anti-forensic techniques.
|
|
- Exiftool: Verifies discrepancies in timestamps and metadata.
|
|
"""
|
|
},
|
|
{
|
|
"title": "Advanced Analysis Tools",
|
|
"content": """
|
|
- LogfileParser: Extracts NTFS transactional logs.
|
|
- Mftecmd: Parses MFT entries and supports Volume Shadow Copies.
|
|
- Icat: Extracts data streams like Zone.Identifier for ADS.
|
|
"""
|
|
},
|
|
{
|
|
"title": "Deleted File Evidence",
|
|
"content": """
|
|
- MFT metadata persists even after deletion.
|
|
- $INDEX_ROOT and $INDEX_ALLOCATION track directory changes.
|
|
"""
|
|
}
|
|
]
|