Tools to help examine NTFS for unauthorized activity.
The Forensic ToolKit contains several Win32 Command line tools that can help you examine the files on a NTFS disk partition for unauthorized activity. We built these tools to help us do our job, we hope they can help you as well.
Command Line Switches
afind [dir] /f [filename] /ns=no subs /a after /b before /m between
time format =
hfind [dir] /hd=find dir/system attribs /ns=no subs
sfind [dir] /ns=no subs
Windows NT 4.0 SP3
Audit log enabled with searchable records
Set NT command line buffer to 500 or more lines. 1200 or more lines works well