Re: [sleuthkit-users] Missing deleted files when viewing a FAT32 partition
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Missing deleted files when viewing a FAT32 partition
|
From: Brian C. <ca...@sl...> - 2003-07-28 05:58:41
|
On 27 Jul 2003 18:02 PDT you wrote: > I was taking a look at a FAT32 partition the other day under both > Autopsy/Sleuthkit (v.latest) and EnCase (v.3.22) and I noticed something > a bit strange. It looked like EnCase was showing a number of (deleted > and overwritten) files that were not showing up in Autopsy. > Unfortunately, I didn't have much time to investigate, but the one thing > that I noticed in the time that I had was that the MAC times as shown by > EnCase appeared to be NULL. I haven't had a chance to look at the > Autopsy/Sleuthkit code, but is it possible that 'wiped' MAC times could > cause a file not to show up in Autopsy? Indeed they can. The current logic for FAT partitions is that the write time must have a non-zero time. That is because it is the only file that is required by spec to be updated. Since the others are optional in the spec, The Sleuth Kit does not require them to be non-zero. I guess I could change that though. The next version will have it removed. Do you know how files existed though with no times? If wiping tools were used, then I would also expect them to wipe the file name and other useful information too. brian |
