log2timeline Since 2009 - SANS
log2timeline Since 2009 - SANS
log2timeline Since 2009 - SANS
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>SANS</strong> 2011 Digital Forensics and Incident Response Summit<br />
Other methods<br />
Sequential MFT entry number allocation<br />
Malware often hides inside Windows\System32<br />
Patches update several files<br />
Malware introduces few changes<br />
<br />
What l2t_process does to detect manipulations<br />
$MFT module includes notes if entries are suspicious<br />
The i (include) option includes suspicious entries<br />
outside the date range<br />
Maps the relationship between MFT entry nr. and<br />
creation time