NTFS Triforce or anti anti forensics, David Cowen & Matt Seyer

20 Mar 2013

It still amazes me that after all this time there is still more to learn about NTFS. Over the past year or so David has been working on a tool to exploit the $LOGFILE and $USNJRNL on NTFS. These can provide us with a significant amount of historical information on file system activity, including identifying file movements and changes. In this presentation David also demonstrated the triforce tool, the amount of information it recovers is quite astounding. This is something that will change they way you do forensics forever, whether you are doing malware, intrusion or LE investigations.

For more info check out his blog: https://www.hecfblog.com