In this article, I am going to talk about basic forensic time analysis procedure:
- Identify the partition in an image using mmld <filename> command. Don’t forget to make a note of start sector of the partition.
- Identify the type of filesystem is has using fsstat -o <start sector> command.
- List all the files including deleted files by name using this command :fls -o <offset> -f <filesystem> -m “/“ -r <filename> > flsbody
- What if the deleted file does not have a name- use this command ils -o <offset> -f <filesystem> -m <filename> > ilsbody
RSS Feed