Note:I translated Japanese into English using Google Translate.Thank you, Google. My question is Can I find timestamp changes using USN Journal? Let's try it.Enable USN Journal with volume E :. Copy the sample JPEG file to the E: drive, us…

Note:I translated Japanese into English using Google Translate.Thank you, Google. Let's create a record labeled (realloc). Create Example folder and create several files in the folder. In the following, a long file name is set to create In…

Note:I translated Japanese into English using Google Translate.Thank you, Google. FireEye has released a report on APT 10's TTPs. I was interested in the method using ESENTUTL tool. https://www.fireeye.com/blog/threat-research/2018/09/apt1…

Note:I translated Japanese into English using Google Translate.Thank you, Google. Let's check NTFS $ObjID:$O and the deleted ObjectID. There is image files on the sample E: drive, but these files do not have an ObjectID. Browse the image f…

Note:I translated Japanese into English using Google Translate.Thank you, Google. Check the record of $LogFile when setting ObjectID.E: drive used for verification is newly formatted with NTFS. Copy the sample JPEG file to the E drive. Thi…