±Your Account
Membership:
New Today: 2
New Yesterday: 5
Overall: 24168
Visitors: 43±Latest Webinar
±Latest Articles
· Geo-tagging & Photo Tracking On iOS
· KS – an open source bash script for indexing data
· Mobile Device Geotags & Armed Forces
· Categorization of embedded system forensic collection methodologies
· Interpretation of NTFS Timestamps
· What are ‘gdocs’? Google Drive Data – part 2
· What are ‘gdocs’? Google Drive Data
· Bad Sector Recovery
· Forensic Artifact: Malware Analysis in Windows 8
· Windows 8: Important Considerations for Computer Forensics and Electronic Discovery
· KS – an open source bash script for indexing data
· Mobile Device Geotags & Armed Forces
· Categorization of embedded system forensic collection methodologies
· Interpretation of NTFS Timestamps
· What are ‘gdocs’? Google Drive Data – part 2
· What are ‘gdocs’? Google Drive Data
· Bad Sector Recovery
· Forensic Artifact: Malware Analysis in Windows 8
· Windows 8: Important Considerations for Computer Forensics and Electronic Discovery
±Follow Us
±Latest Jobs
Back to top
Skip to content
Skip to menu
Back to top
Back to main
Skip to menu
What you are seeing is a MFT record of a deleted file where the MFT record has not be overwritten but the file has. EnCase (in fact, no program of which I am aware), can display the contents of a file that has been overwritten. What EnCase is showing you is that the file pointer still exists though the file does not.
If you look at the very bottom of the EnCase Window (what they call the Navigation data or GPS), what is displayed is the path to actual file that now occupies the blocks occupied by the deleted file.
Encase naming confusing for overwritten and overwriting file
Encase naming confusing for overwritten and overwriting file
Posted: Fri Aug 14, 2009 6:10 am
As you know, Encase uses the symbol 'red x' and says that these files are deleted overwritten files. So, you tend to think that the file with the icon red " x" was overwritten, but Encase shows the overwriting file, not the overwritten one. So, it sounds confusing, does not it?
Do you know why Encase calls a file overwritten while it actually shows the overwriting one? It actually shows you something different from what it says it does.
If it shows me an overwriting file, it should call it the overwriting file, not the overwritten file.
I know that some forensic examiners and newbies may be deceived by this. Would it not be better, if it called the area -rather than the file- overwritten and show the current file as overwriting?
Do you know why Encase calls a file overwritten while it actually shows the overwriting one? It actually shows you something different from what it says it does.
If it shows me an overwriting file, it should call it the overwriting file, not the overwritten file.
I know that some forensic examiners and newbies may be deceived by this. Would it not be better, if it called the area -rather than the file- overwritten and show the current file as overwriting?
-
yunus - Senior Member
Re: Encase naming confusing for overwritten and overwriting file
Posted: Fri Aug 14, 2009 6:49 am
- yunusDo you know why Encase calls a file overwritten while it actually shows the overwriting one? It actually shows you something different from what it says it does.
What you are seeing is a MFT record of a deleted file where the MFT record has not be overwritten but the file has. EnCase (in fact, no program of which I am aware), can display the contents of a file that has been overwritten. What EnCase is showing you is that the file pointer still exists though the file does not.
If you look at the very bottom of the EnCase Window (what they call the Navigation data or GPS), what is displayed is the path to actual file that now occupies the blocks occupied by the deleted file.
-
seanmcl - Senior Member