|
From: Akademili 21 <aka...@gm...> - 2009-10-14 15:33:36
|
Hi; I am making an academical research and trying to complete an article about digital forensics on NTFS! I want to make some points clear in my mind. *1)* is it possible to determine a file creation order from NTFS "Change Journal" or sth else? (Not depending on the files ordinary NTFS' creation date) Example / Explanation: If we need to proove that a file is created AFTER the NTFS' created time datas? For example; the target disk is mounted in another computer in which the system time has been set back and a file is created. We need to proove (OR even find some clue) that this file is created subsequently, by examinig the NTFS structure and the other files' dates? *2)* When low level scanning the disks; recovery programs find some FAT16 or FAT32 file structures. Is NTFS keeping directories like FAT file systems, i mean: can we still find partially file tables in the disk even the MBR is formatted (Or damaged etc.) ** (Note: What is the structure of an -for example- 2 partitioned disk's MBR, MFT, BOOT sector, etc.?) Do these points help about the 1st question? Any experts or resources about these questions or can you redirect me please? Thanks already! |
