Cases
Anti-forensic scenarios with ground-truth specifications, dependent artifact lists, and linked IoI rules. Contributions welcome — see the contribution guide.
Selective Browser History Removal
✓ ValidatedSelective removal of visited sites from Chrome History (SQLite), detected via IndexedDB cache presence and USN journal modification indicators.
Volume Shadow Copy Complete Deletion
✓ ValidatedAll VSS deleted; VSS infrastructure files persist in MFT but GUID snapshot directories are absent; UsnJrnl confirms deletion activity.
Security Event Log Clearance and Repopulation
✓ ValidatedSecurity.evtx cleared and repopulated; Event 1102 and USN DataTruncation timestamps reveal the ordering contradiction between log clearance and subsequent repopulation.
Timestamp Forging via Timestomper (LNK Corroboration)
✓ ValidatedFilesystem timestamps forged via timestomper.exe; LNK shortcut metadata retains original creation time, diverging from forged SI timestamp.
Office Metadata Timestamp Contradiction
✓ ValidatedFilesystem timestamps forged via timestomper.exe; embedded Office core.xml metadata disagrees with the forged MFT $SI timestamp in a cross-graph filePath join.