[sleuthkit-users] Missing deleted files when viewing a FAT32 partition
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-users] Missing deleted files when viewing a FAT32 partition
|
From: Adam P. U. <uc...@ac...> - 2003-07-27 21:36:55
|
Hey All, I was taking a look at a FAT32 partition the other day under both Autopsy/Sleuthkit (v.latest) and EnCase (v.3.22) and I noticed something a bit strange. It looked like EnCase was showing a number of (deleted and overwritten) files that were not showing up in Autopsy. Unfortunately, I didn't have much time to investigate, but the one thing that I noticed in the time that I had was that the MAC times as shown by EnCase appeared to be NULL. I haven't had a chance to look at the Autopsy/Sleuthkit code, but is it possible that 'wiped' MAC times could cause a file not to show up in Autopsy? Sorry for the sketchy information... if I can free up some more time I'll see what else I can dig up. Thoughts??? (Thanks for all you efforts Brian!) Cheers! -Adam |
