Tier 2Deep dive · 30–60 min · 40 methods

Advanced PC Checking

Beyond surface artifacts. Tier 2 introduces NTFS-level reconstruction of file lifecycles, multi-source execution correlation, automated event-log threat hunting, and unified timeline analysis in Timeline Explorer. Each technique strengthens the case by stacking independent evidence sources.

Tier 2 Tool Downloads

Deep File System Analysis

Deep Execution Correlation

Timeline & Event Analysis

User Activity Deep Dive

Process & Memory

Persistence & Evasion

External Devices

Java & Scripts

Hash & Binary Triage

Full Timeline Reconstruction

The Golden Rule — Tier 2

The timeline doesn't lie. Every action leaves traces in multiple places. Cross-reference EVERYTHING. If it happened, the evidence is there — you just have to find it.

Tier 1 · Foundation

Tier 3 · Elite forensic

Advanced PC Checking

Tier 2 Tool Downloads

Eric Zimmerman Tools (T2 Focus)

Hayabusa (Yamato Security)

INDXRipper

Deep File System Analysis

$MFT Analysis

$UsnJrnl:$J Deep Parsing

$LogFile Analysis

$INDX / $i30 Folder Residue Checks

Timestamp Stomping Detection ($SI vs $FN)

Deleted File Recovery Checks

ADS & MOTW (Zone.Identifier) Checks

File Replacement Detection

Deep Execution Correlation

AmCache Deep Execution Correlation

UserAssist + ShimCache + AmCache Correlation

RecentFileCache Analysis

SRUM / SRUDB.dat Analysis

Timeline & Event Analysis

Hayabusa Event Timeline Review

Timeline Explorer Correlation

Deep Event ID Review

User Activity Deep Dive

ActivitiesCache.db Analysis

ShellBags with Timestamp Correlation

JumpList & LNK Metadata Comparison

Browser Download → Execution Timeline

Registry OpenSavePidlMRU

Windows.db Search Index

Process & Memory

Process Hollowing & Reflective DLL Injection

Suspicious Loaded Module Review

PowerShell Memory String Analysis

Kernel Live Dump Analysis

Persistence & Evasion

Regsvr32 / Rundll32 Abuse

COM Hijack Artifacts

WMI Persistence

Task Scheduler XML & StartupInfo XML

Service Deep Dive (Thread Suspension, Restart, Termination)

External Devices

FAT32 / exFAT USB & External Drive Investigation

Volume Shadow Copy Comparison

Java & Scripts

Java Execution & Loader Traces

Script Execution Artifact Correlation

Hash & Binary Triage

VirusTotal Hash Correlation

Suspicious Unsigned Binary Triage

Full Timeline Reconstruction

Full Timeline Reconstruction Across Artifacts