fatcousin
home

drop a disk image or mft csv with event logs · cross-correlate timestamps with ntp sync events · tls certificate timestamps · email received headers · establish how accurate the system clock actually was · detect deliberate clock manipulation · runs locally

clock reference artifacts
drop evtx csv · tls · email · mft · pcap
NTP event 35/37 · cert exports · Received headers
drop mft csv · evtx csv · email headers · tls certs · pcap
ready