Open dkovar opened 7 years ago
M - modified, B - birth, A - accessed:
If M < B then likely file copy Detected at B If M and B < A == volume file move
M - modified, B - birth, A - accessed:
If M < B then likely file copy Detected at B If M and B < A == volume file move