MBR

Invoke-IR / ForensicPosters

0

Cheats

Topic Focus
Digital Forensics
Source
Invoke-IR

https://github.com/Invoke-IR/ForensicPosters

 

  • Invoke-IR/ForensicPosters GPT;
  • Invoke-IR/ForensicPosters $UsnJrnl_$J;
  • Invoke-IR/ForensicPosters Registry_NamedKey;
  • Invoke-IR/ForensicPosters $UsnJrnl_$Max;
  • Invoke-IR/ForensicPosters Registry_Header;
  • Invoke-IR/ForensicPosters 0_MFT;
  • Invoke-IR/ForensicPosters Prefetch101;
  • Invoke-IR/ForensicPosters 0x10_$STANDARD_INFORMATION;
  • Invoke-IR/ForensicPosters 7_$Boot(VBR);
  • Invoke-IR/ForensicPosters 4_$AttrDef;
  • Invoke-IR/ForensicPosters 0x20_$ATTRIBUTE_LIST;
  • Invoke-IR/ForensicPosters 0xXX_NonResident;
  • Invoke-IR/ForensicPosters 0x30_$FILE_NAME;
  • Invoke-IR/ForensicPosters _MBR;
  • Invoke-IR/ForensicPosters 0x60_$VOLUME_NAME;
  • Invoke-IR/ForensicPosters 0xA0_$INDEX_ALLOCATION;
  • Invoke-IR/ForensicPosters 0x70_$VOLUME_INFORMATION;
  • The Windows PowerShell Logging Cheat Sheet;
  • Invoke-IR/ForensicPosters 0x80_$DATA;
  • Invoke-IR/ForensicPosters 0x90_$INDEX_ROOT;

 

Photos

DA
FNA
VIA
0x70-$VOLUME_INFORMATION
0x90-$INDEX_ROOT
Prefetch101
wrs
IRA
0x10-$STANDARD_INFORMATION
0x30-$FILE_NAME
0xA0-$INDEX_ALLOCATION (1)
wrnk
wrs
$UsnJrnl$J
MasterBootRecord
$Boot-NTFSVolumeBootRecord
iai
AD
NonResident
vbr
$MFT
VNA
usnds
0x80-$DATA
0xA0-$INDEX_ALLOCATION (2)
SIA
sj
WRV
$UsnJrnl$Max
0x20_$ATTRIBUTE_LIST
wrh
WRV
ALI
GuidPartitionTable
0x60-$VOLUME_NAME
NRA
usn
sj
GUID
MFT