Windows Timeline Qu...
 
Notifications
Clear all

Windows Timeline Question (Plaso)

1 Posts
1 Users
0 Likes
627 Views
(@dfirjoseph)
Posts: 2
New Member
Topic starter
 

Hi Everyone,

Looking for some advice. Have a windows machine and I can see the drive being formatted with NTFS on a specific date (creation of file system artefacts), verified by the creation date of the $MFT itself. 

Issue is, when perform timeline analysis, I can see thousands of entries with dates preceding this, all with their own entries in the MFT. I know these could have been copied from another volume, but they look like installation actions. 

My working theory is that the system was built on date of the MFT creation, but some of these files were copied from somewhere during the installation process, maybe a USB when it was being installed.

Wondering if this sounds likely to anyone, thanks.

 
Posted : 17/08/2023 5:49 pm
Share: