±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35615
New Yesterday: 1 Visitors: 175

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

Search found 57 matches

Re: OSFMount v Arsenal Image Mounter v FTK Imager

Post Posted: Mar 08, 19 17:39

I tried the latest beta with an E01 image of a physical drive. I mounted it as a physical drive in read-only mode (all other settings left as default).

The result was a emulated physical drive that ...
JimC
Topic: OSFMount v Arsenal Image Mounter v FTK Imager
Replies: 23
Views: 8474
 

Re: EXIF timestampe vs Created timestamp question

Post Posted: Feb 25, 19 23:16

Maybe the file has been copied or downloaded from iCloud?

In this case the file system timestamps may not match the EXIF fields.

Was the photo taken on that specific phone or another device?

...
JimC
Topic: EXIF timestampe vs Created timestamp question
Replies: 4
Views: 763
 

Re: Encase 7 Index Buffer Reader script **RECOVERED ENTRY***

Post Posted: Jan 30, 19 00:33

I tried another experiment to get to the bottom of this once and for all. This time I used XWF to manually edit the 3 different sets of time stamps to each have a unique value (changed the year in eac ...
JimC
Topic: Encase 7 Index Buffer Reader script **RECOVERED ENTRY***
Replies: 17
Views: 3473
 

Re: Encase 7 Index Buffer Reader script **RECOVERED ENTRY***

Post Posted: Jan 30, 19 00:04

I got the following comment from a member of the NTFS development team on why there are timestamps in both $SI and $FN. This may be useful (paragraphs added by me to improve readability):

[i]"I can ...
JimC
Topic: Encase 7 Index Buffer Reader script **RECOVERED ENTRY***
Replies: 17
Views: 3473
 

Re: Encase 7 Index Buffer Reader script **RECOVERED ENTRY***

Post Posted: Jan 29, 19 23:52

@thefuf - I am sorry, you are correct. My picture (6) was incorrect.

The $FN timestamps in the INDX are different to the $FN timestamps in the $MFT. I will repeat my experiments. Embarassed

Jim

...
JimC
Topic: Encase 7 Index Buffer Reader script **RECOVERED ENTRY***
Replies: 17
Views: 3473
 

Re: Encase 7 Index Buffer Reader script **RECOVERED ENTRY***

Post Posted: Jan 29, 19 23:34

@thefuf - My impression has always been that the $FN timestamps (in $MFT) were redundant and were not reported by the standard Windows API or applications. I set up a quick experiment to verify what y ...
JimC
Topic: Encase 7 Index Buffer Reader script **RECOVERED ENTRY***
Replies: 17
Views: 3473
 

Re: Encase 7 Index Buffer Reader script **RECOVERED ENTRY***

Post Posted: Jan 29, 19 21:00

@thefuf - I think you may have read more into my post than I intended. All I said was that the (current) directory tree can be determined just from the $MFT alone. The indexes are redundant informatio ...
JimC
Topic: Encase 7 Index Buffer Reader script **RECOVERED ENTRY***
Replies: 17
Views: 3473
 
Page 1 of 9
Page 1, 2, 3, 4, 5, 6, 7, 8, 9  Next