Encase folder Recov...
 
Notifications
Clear all

Encase folder Recovery V/s Winhex data carving

3 Posts
3 Users
0 Likes
708 Views
(@vishu)
Posts: 4
New Member
Topic starter
 

Dear All,

I am currently working on a case where I have been assigned a task to recover the deleted file from suspect machine. the main focus is on deleted Lotus Notes files and other office documents (Word, Excel etc).
I initially used Winhex for data carving but got very few carved items. But while I used Encase I found surprisingly a huge bunch of data after performing Folder Recovery.
As per my understanding both Data carving operation of Winhex and Recover Folder feature of Encase scan unallocated cluster for recovery process.
My question is if both scan Unallocated Clusted for recovery then why the difference in count is coming?

 
Posted : 29/10/2012 10:49 pm
(@armresl)
Posts: 1011
Noble Member
 

It would be pretty incredible if you could get 2 softwares to come up with same number of carved files. Seemingly like if you acquire and scan a drive with FTK or Encase, in the index you see program one found 1,123,456 files and software two you find 1,4,256,768 files.

It's pretty common to hear someone say use 2-3 anti virus programs on an image to test that nothing was there. One reports 10 "incidents" the other reports none.

Dear All,

I am currently working on a case where I have been assigned a task to recover the deleted file from suspect machine. the main focus is on deleted Lotus Notes files and other office documents (Word, Excel etc).
I initially used Winhex for data carving but got very few carved items. But while I used Encase I found surprisingly a huge bunch of data after performing Folder Recovery.
As per my understanding both Data carving operation of Winhex and Recover Folder feature of Encase scan unallocated cluster for recovery process.
My question is if both scan Unallocated Clusted for recovery then why the difference in count is coming?

 
Posted : 30/10/2012 3:27 am
(@mscotgrove)
Posts: 938
Prominent Member
 

Encase and Winhex are both just tools that try and find results. All tools work differently and the user must try and establish how each one works.

For instance some data carving tools work on header and trailer, some on just header. My approach is just header, but then sometimes analyse data in the middle. Each one will produce duifferent results.

Understand the tools, and you will understand your results.

 
Posted : 30/10/2012 1:28 pm
Share: