A comprehensive deep dive into the most critical forensic artifacts in modern Windows environments, designed for intermediate-to-expert DFIR professionals.
Correlating NTFS $LogFile and $UsnJrnl: A DFIR Practitioner’s Guide to Transactional Analysis
Advanced correlation methodology for fusing NTFS $LogFile and $UsnJrnl artifacts to create transaction-level proof of filesystem activity and defeat anti-forensics techniques.
KAPE, Explained: History, Installation, Real-World Usage, and DFIR Impact
A definitive, field-ready guide to KAPE (Kroll Artifact Parser and Extractor)—covering origins, setup, Targets/Modules, automations, and case-driven workflows.
Mastering the MFT: A Deep Dive into Forensic Analysis with MFTECmd
A comprehensive guide to using Eric Zimmerman’s MFTECmd for advanced NTFS Master File Table analysis in digital forensics and incident response investigations.
A Deep Dive into Windows File System Forensics
A comprehensive guide to Windows NTFS disk-level artifacts: locations, structure, forensic meaning, tools, anti-forensics, and correlation workflows.