±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 5 Overall: 36115
New Yesterday: 4 Visitors: 144

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

EnCase: Recycle Bin $I file Deleted Timestamp

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

ckwongkennyw
Newbie
 

EnCase: Recycle Bin $I file Deleted Timestamp

Post Posted: Oct 05, 19 03:11

Hi all,
Would like to ask if the deleted timestamp in the $I file in UTC/GMT? Does that mean that when using Windows Date/Time option to decode, I need to apply the timezone offset to the time decoded in order to arrive at the correct local time?
Thank you.  
 
  

deeFIR
Member
 

Re: EnCase: Recycle Bin $I file Deleted Timestamp

Post Posted: Oct 05, 19 04:54

Deleted date/time is in UTC.  
 
  

ckwongkennyw
Newbie
 

Re: EnCase: Recycle Bin $I file Deleted Timestamp

Post Posted: Oct 05, 19 14:27

When I view the result of the Evidence Processor, the deleted time is the timestamp of the file (decoded by Windows Date/Time) -11 hours. But suppose it should be timestamp of the file -6 hours if it is UTC. My evidence file is UTC-6.
Does that means the result of the evidence processor is wrong?
Thank you.  
 
  

hommy0
Senior Member
 

Re: EnCase: Recycle Bin $I file Deleted Timestamp

Post Posted: Oct 07, 19 09:16

Hi,

Can I ask where are you viewing the deleted time and date?

Also have you set the timezone for the piece of evidence (prior to running the evidence processor)?

Further if you look at the "File Deleted" time and date stamp column does that provide the correct value (since this has been decoded from the $I), Further to that the original path column has also been decode from the $I

Regards  
 
  

ckwongkennyw
Newbie
 

Re: EnCase: Recycle Bin $I file Deleted Timestamp

Post Posted: Oct 07, 19 14:38

Hi hommy0

I view it in the Artifact view and I have already set the timezone for the piece of evidence before running the evidence processor.  
 
  

hommy0
Senior Member
 

Re: EnCase: Recycle Bin $I file Deleted Timestamp

Post Posted: Oct 07, 19 19:44

Hi,

How does the time and date in artifact view correspond to that of the “File Deleted” time and date stamp column of the main table view for entries?

Also Case Analyzer can provide a view of the $I deleted time and date stamp.

It will be of benefit to post this query on the opentext mysupport for EnCase Forensic (or endpoint investigator). This can be found on the security forum.

Regards  
 

Page 1 of 1