This is a simple VHDX file with some files that have been named according to what was done with them. For text and Word files, make sure you read the contents of the file so you see what I did to them and can attribute that activity to MFTECmd output that's included.
Also, as a hint, some files have been deleted through various means. The filenames will give away what was done to those files.
For more on KAPE, check out my guide on AboutDFIR here.
For more on Timeline Explorer, check out my guide on AboutDFIR here.
For more on MFT Explorer/MFTECmd check out my guide on AboutDFIR here.
If there are any issues or suggestions for improvement, please create an Issue or do a Pull Request with updates of your own.
| Date | Version | Description | Link |
|---|---|---|---|
| 2020-12-23 | 1.0 | Initial release | Link |
| 2021-01-01 | 1.1 | Added reformatted/wiped versions of v1.0 VHDX with KAPE Output, Recovered Files, etc | Link |
| Filename | SHA1 | MD5 |
|---|---|---|
| Anti-Forensics Disk Image.vhdx | 25ZNIOHNVH357KN3ZTJ4KPGPSUU3PL3L | 400B7FBB6B7B0707F84BC600A6AE0A23 |
Hashes by Hasher