Thanks to EvtxECmd, now we get better handling of deleted event log records. The detail is here.
I have posted NTFS Timestamps, which is the results about timestamps on Windows NTFS.
I posted about Carving utmp records for intrusion analysis using utmp scanner of bulk_extractor-rec
To carve out in NTFS internal records and Unix utmp records, Bulk Extractor with Record Carving has been released.