I have posted MSSQL forensics (4) - LOB data structure and this is last article of the serires.
I have posted MSSQL forensics (3) - Slot Array & Deleted Record, which covers how to identify deleted records.
I have posted MSSQL forensics (2) - Record Structure, which covers structure of records in data page.
I have posted MSSQL forensics (1) - MDF fundamentals, which covers mdf file structures & page header.
Thanks to EvtxECmd, now we get better handling of deleted event log records. The detail is here.
I have posted NTFS Timestamps, which is the results about timestamps on Windows NTFS.