MBR

Invoke-IR / ForensicPosters

0

Cheats

Topic Focus
Digital Forensics
Source
Invoke-IR

https://github.com/Invoke-IR/ForensicPosters

 

  • Invoke-IR/ForensicPosters GPT;
  • Invoke-IR/ForensicPosters $UsnJrnl_$J;
  • Invoke-IR/ForensicPosters Registry_NamedKey;
  • Invoke-IR/ForensicPosters $UsnJrnl_$Max;
  • Invoke-IR/ForensicPosters Registry_Header;
  • Invoke-IR/ForensicPosters 0_MFT;
  • Invoke-IR/ForensicPosters Prefetch101;
  • Invoke-IR/ForensicPosters 0x10_$STANDARD_INFORMATION;
  • Invoke-IR/ForensicPosters 7_$Boot(VBR);
  • Invoke-IR/ForensicPosters 4_$AttrDef;
  • Invoke-IR/ForensicPosters 0x20_$ATTRIBUTE_LIST;
  • Invoke-IR/ForensicPosters 0xXX_NonResident;
  • Invoke-IR/ForensicPosters 0x30_$FILE_NAME;
  • Invoke-IR/ForensicPosters _MBR;
  • Invoke-IR/ForensicPosters 0x60_$VOLUME_NAME;
  • Invoke-IR/ForensicPosters 0xA0_$INDEX_ALLOCATION;
  • Invoke-IR/ForensicPosters 0x70_$VOLUME_INFORMATION;
  • The Windows PowerShell Logging Cheat Sheet;
  • Invoke-IR/ForensicPosters 0x80_$DATA;
  • Invoke-IR/ForensicPosters 0x90_$INDEX_ROOT;

 

Photos

wrs
SIA
sj
0x10-$STANDARD_INFORMATION
0x30-$FILE_NAME
$UsnJrnl$Max
wrs
wrh
$Boot-NTFSVolumeBootRecord
ALI
AD
0x60-$VOLUME_NAME
vbr
sj
GUID
VNA
DA
FNA
0xA0-$INDEX_ALLOCATION (2)
0x70-$VOLUME_INFORMATION
WRV
Prefetch101
0x20_$ATTRIBUTE_LIST
IRA
WRV
0xA0-$INDEX_ALLOCATION (1)
wrnk
GuidPartitionTable
$UsnJrnl$J
MasterBootRecord
NRA
usn
iai
MFT
NonResident
VIA
$MFT
0x90-$INDEX_ROOT
usnds
0x80-$DATA