An investigator is reviewing an NTFS file system for evidence of file activity during a...

Within the CHFI v11 syllabus under Operating System Forensics and Image/Evidence Examination and Event Correlation , timeline reconstruction is a core forensic technique used to understand what happened, when it happened, and in what order . When analyzing NTFS file systems, investigators rely heavily on MAC times — Modified, Accessed, and Created timestamps—to establish file activity.

The Sleuth Kit tools fls and mactime are specifically designed for this purpose. The fls tool extracts file and directory metadata from a forensic image, while mactime processes this metadata to generate a chronological timeline of file system events. This timeline typically includes file creation time, last modification time, and last access time , allowing investigators to correlate file activity with known incident times, user actions, or attacker behavior.

Option B describes low-level file system analysis, which is useful in other contexts but is not the primary focus of mactime . Option C relates to system-level operational timelines rather than file activity. Option D focuses on Windows event logs, which are valuable for corroboration but are separate from NTFS file system timestamp analysis.

The CHFI v11 Exam Blueprint explicitly highlights file system timeline creation and analysis using The Sleuth Kit , emphasizing MAC timestamps as the foundational data used to reconstruct sequences of events during digital investigations