Digital Forensics & Anti-Forensics Explained: NTFS Artifacts, ADS, File Carving & Timestomping | Ep. 7

🧠 Episode 7 – Everyday Cyber Podcast
In this episode, host Alex Reid explores the battlefield between digital forensics and anti-forensics — revealing how investigators extract hidden truths from NTFS volumes, and how attackers attempt to cover their tracks.

From Alternate Data Streams (ADS) and Volume Shadow Copies, to timestomping and file wiping, this episode dives into the structures and techniques that define modern forensic investigations — and the countermeasures used to evade them.

🔍 What You'll Learn in This Episode:

• Key forensic artifacts in NTFS: $MFT, $I30, $LogFile, $UsnJrnl

• How Alternate Data Streams (ADS) are used to hide data

• Timestomping, file wiping, and registry key deletion as anti-forensics

• Tools like MFTECmd, Bulk Extractor, PhotoRec, and vss_carver.py

• How forensic analysts perform file carving, super timelines, and triage collection

• The role of Zone.Identifier ADS, VSS, and SDelete in investigations

• Techniques attackers use to stay hidden in plain sight — and how to find them

Whether you're learning digital forensics or defending against sophisticated attackers, this episode gives you a detailed breakdown of how investigations work at the file system level.

digital forensics

anti-forensics

alternate data streams

NTFS forensics

volume shadow copy forensics

file carving

timestomping detection

mftecmd tutorial

file wiping

photoRec recovery

zone.identifier ADS

NTFS metadata

ADS malware hiding

super timeline forensics

triage collection

bulk extractor forensic

registry key wiping

forensic tools podcast

NTFS MFT analysis

digital forensic investigation

everyday cyber podcast