[sleuthkit-users] Detect overwritten files in FAT32
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-users] Detect overwritten files in FAT32
|
From: Andreas E. <and...@ne...> - 2014-04-29 12:48:55
|
Hello, I have been trying to detect files that have been overwritten in a FAT32 image by looking at the properties on TSK_FS_META. I tried to get a hint by opening the image in Autopsy but it seems that the GUI only displays them as "Deleted" and there is no way of detecting if a file has been overwritten. If I open the same image in EnCase it correctly shows the files as "Is Overwritten". Is there any other flag or value I can look at in order to detect if a file has been deleted and overwritten? Regards Andreas Eriksson Andreas Eriksson Project Manager R&D [NetClean] NetClean Technologies Sweden AB F?rsta L?nggatan 30 - SE-413 27 G?teborg - Sweden Phone: +46 31 719 08 00 - Fax: +46 31 13 89 50 Direct: +46 31 719 08 16 - Mobile: +46 739 07 41 79 and...@ne... <mailto:and...@ne...>www.netclean.com<http://www.netclean.com> The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. |
