Posted: Fri Jun 18, 2010 8:28 am Author: erowe Location: Canada In the bottom left of the status bar there is an icon with a red underline coming up on the right (sort of like a one sided arrow lying down).
The file displays in folder A, but when it is clicked on the path displays to folder C which further analysis confirms is where the file actually resides.
EnCase shows all signature analysis as a match. What does the first entry in folder A represent? Is it link file, some other form of link? Or what else? I can't find info on this in the manual...
Posted: Fri Jun 18, 2010 10:18 am Author: kiashi Location: London, UK erowe,
This could be when a file has been moved, i.e. it originally resided in folder A but has since been moved to folder C. Is this a FAT file system? If so then the directory entry holds the filename and it's starting cluster even if the file has been deleted the information may still be there (e5h as first byte of entry). EnCase resolves the information and has obviously found that both the file in Folder A and the one in Folder C have the same starting cluster. So quite possibly they are the same file.
EnCase clarifies this for you by showing you the Folder C path when you click on the file in Folder A as this is the physical location pointed to by the directory entry in Folder A but it currently belongs to a live file in Folder C and no longer to the file in Folder A.
I hope that explanation isn't too confusing....Friday afternoon here
Posted: Fri Jun 18, 2010 11:58 am Author: JonN Location: Bristol, UK Is it an overwritten file? Look in the Description column.
If it is then the information in the status bar is showing you which file overwrote the file you currently have selected in the table pane, which itself should have a sort of circled arrow icon (if that makes any sense)
You should be able to find more information on the icons on the EnCase board, or in the manual (although the manuals tend to be black and white)