|
| 1 | +# 02 — Filesystem Analysis |
| 2 | + |
| 3 | +## Partition & Volume Identification |
| 4 | +- Identify partition table type. |
| 5 | +- Locate active, hidden, or suspicious partitions. |
| 6 | + |
| 7 | +## Filesystem Triage Logic |
| 8 | +- NTFS: MFT, $LogFile, $UsnJrnl |
| 9 | +- FAT: directory entries & allocation tables |
| 10 | +- EXT: inodes, journals, block groups |
| 11 | +- APFS: snapshots, containers, volumes |
| 12 | + |
| 13 | +## Metadata Interpretation |
| 14 | +- Extract filename, inode, timestamps. |
| 15 | +- Understand MACB timestamp semantics. |
| 16 | +- Detect timestamp anomalies or manipulation. |
| 17 | + |
| 18 | +## Deleted-File Reasoning Model |
| 19 | +- Check allocation status. |
| 20 | +- Examine metadata remnants. |
| 21 | +- Cross-check with logs and timeline. |
| 22 | + |
| 23 | +## File-Carving Decision Tree |
| 24 | +- Identify magic headers/footers. |
| 25 | +- Rebuild fragmented objects when possible. |
| 26 | +- Assess carving reliability per file type. |
| 27 | + |
| 28 | +## Anti-Forensics Indicators |
| 29 | +- Timestamp clusters that defy system patterns. |
| 30 | +- Excessive zeroed regions. |
| 31 | +- Unexpected format or partition changes. |
0 commit comments