NSRLJP_201905 has been released. Added Windows 10(1803, 1809, 1903) and 2019.

Thanks to EvtxECmd, now we get better handling of deleted event log records. The detail is here.

I have posted NTFS Timestamps, which is the results about timestamps on Windows NTFS.

WinFE based on WinPE for Windows 10 (English) is available.

OSDFCon 2018 slides are now available. I talked about "A Combination of Advanced Carver and Intelligent Parser" and bulk_extractor-rec03 has been released.

I posted about Carving utmp records for intrusion analysis using utmp scanner of bulk_extractor-rec

Analysis Tool for USN Journal/Change Journal, USN Analytics has been released.

bulk_extractor-rec02 has been released.

To carve out in NTFS internal records and Unix utmp records, Bulk Extractor with Record Carving has been released.

A structure of PolAdtEv key has changed since Windows 10(1607)/2016.