CEIC 2013 and the public beta of the NTFS TriForce

CEIC 2013 and the public beta of the NTFS TriForce

Greetings Reader!,
                              Thanks to all of you who came in person to my presentation at CEIC this morning, we had a mountain of information to show you and you kept up! We had a standing room only session and lots of great questions were asked.  I'm going to try google drive for all my hosting of session materials this time, I hope it works well!

We had a lot of fun today, we walked attendee's through data structure, four labs showing how to use the Triforce to solve four different forensic scenarios and how to use libvshadow in windows to expose shadow copies that you can extract the $MFT, $Logfile and $USNJRNL::$J from!

I'll be posting blog entries in the next two weeks giving walk throughs of each of the labs and more fun data for everyone to try out our new tool on.

Lastly, its time for the public beta of the TriForce. Please click on the link below to download it and get updated on new versions that we will be releasing as we get closer to a defined product.

Here is the link to the public beta signup:


Here is a link to download the windows compiled version of libvshadow:


  1. David,

    Thanks for sharing all this invaluable information, much appreciated!

    I was also wondering if you could advise me on the excpetion I'm getting while running TriForce against a $LogFile. The message says:
    The 'second' parameter ("-1") to DateTime:: new did not pass the 'an integer between 0 and 61' callback.

    The debug log contained the following line "Unknown IEA Structure 60832". Any ideas?

  2. Hi Bartosz! Interesting, anyway you can send us the $logfile or an excerpt? Looks like our parser has found something unexpected!