Accession Number:

AD1003976

Title:

Generating Computer Forensic Super Timelines under Linux: A Comprehensive Guide for Windows-based Disk Images

Descriptive Note:

Technical Report

Corporate Author:

Defence Research and Defence Canada - Valcartier Quebec, Quebec

Personal Author(s):

Report Date:

2011-10-01

Pagination or Media Count:

132.0

Abstract:

This technical memorandum examines the basics surrounding computer forensic filesystem timelines and provides an enhanced approach to generating superior timelines for improved filesystem analysis and contextual awareness. Timelines are improved by polling multiple sources of information across the filesystem resulting in an approach that is surprisingly flexible and customizable. The timeline is further enhanced by incorporating key time-based metadata found across a disk image which, when taken as a whole, increases the forensic investigators understanding.

Subject Categories:

Distribution Statement:

APPROVED FOR PUBLIC RELEASE