Hi all, the phone I am currently examining is a HTC Desire 816 running Android 4.4.2. The items in question are the call recordings done on the phone. There is a suspicion that the recorded files were planted.
I have done logical extraction and file system extraction in Cellebrite UFED Touch ultimate. There are a few recorded files in /shared location of that app. But UFED shows only one timestamp ( modified date) for those files. And for some files the timestamp is missing entirely. Is there any other way I could get created date or any other timestamp from the logical or FS dump? Thanks.
Have a look and see if Riff Box can help
http//
Right now I cannot get a Riff Box to try that out. Only UFED and Oxygen are available, but anyway thanks for the help.
go to ufed analyser and search that timestamp in binary mode after that look other bytes manually
Hi all, the phone I am currently examining is a HTC Desire 816 running Android 4.4.2. The items in question are the call recordings done on the phone. There is a suspicion that the recorded files were planted.
I have done logical extraction and file system extraction in Cellebrite UFED Touch ultimate. There are a few recorded files in /shared location of that app. But UFED shows only one timestamp ( modified date) for those files. And for some files the timestamp is missing entirely. Is there any other way I could get created date or any other timestamp from the logical or FS dump? Thanks.
In Oxygen have you tried physical dump or Android backup extraction method? What app are you trying to analyze?