NSRLJP_202104 has been released. Added Windows 10(1909, 2004, 20H2), 2019 (update 2019-03), and Google Chrome.
MSSQL Forensics Series (4)
I have posted MSSQL forensics (4) - LOB data structure and this is last article of the serires.
MSSQL Forensics Series (3)
I have posted MSSQL forensics (3) - Slot Array & Deleted Record, which covers how to identify deleted records.
MSSQL Forensics Series (2)
I have posted MSSQL forensics (2) - Record Structure, which covers structure of records in data page.
MSSQL Forensics Series (1)
I have posted MSSQL forensics (1) - MDF fundamentals, which covers mdf file structures & page header.
NSRLJP_201905 has been released. Added Windows 10(1803, 1809, 1903) and 2019.
Parsing carved evtx records using EvtxECmd
Thanks to EvtxECmd, now we get better handling of deleted event log records. The detail is here.
I have posted NTFS Timestamps, which is the results about timestamps on Windows NTFS.