The following scenario demonstrates a potentially confusing situation you might face as an investigator. Knowing extensively the NFTS internals will help you to reach at valid conclusions.
Assume that you have located a deleted...
The following scenario demonstrates a potentially confusing situation you might face as an investigator. Knowing extensively the NFTS internals will help you to reach at valid conclusions.
Assume that you have located a deleted...
Assume you use a forensic software that has recovered file system metadata of a deleted jpeg file from a FAT32 formatted volume with a cluster size of 2.048 bytes. The forensic software displays that the recovered file has starting cluster...
To save readers' precious time I would like to emphasize the fact that that this guide applies in raids containing an NTFS formatted volume.
Firstly, keep in mind that this guide serves as a proof of concept, hopefully it will prove...
Below you will find questions that test your knowledge on this subject. I wrote them while I read material mainly from books in file systems and Windows Forensics.
The questions are not meant to be exhaustive and they might even...
Since March 2012, I have worked as a Digital Forensics Examiner, handling a wide range of investigations, including:
In May 2026, all backend libraries are updated, and the site moved to python3.14 rutime.
In March 2026, all backend and client libraries are updated, and the site moved to python3.14 rutime, minor changes to code occurred mainly for...
© 2012 - 2026 Armen Arsakian updated atThursday 28 May 2026Contact: contact at arsakian.com