Hello all,
I have been comparatively using forensic software for quality purposes.
And today, I have noticed that FTK uses the terms "deleted" and "carved" very much differently from Encase. It uses the term "carved" when it extracts a file from an existing compound file. it is only extracted from an existing file, like zip or rar file. so The term "carved" here is misleading making us think that file is recovered from unallocated space. But it is not.
Secondly, FKT uses the term "carved" for files recovered from unallocated space, too. It is all right and just like what we expect to hear. But then there comes another confusion in terms of FTK's columns shown related to those files. In FTK there are two columns for files one is "deleted", the other is "carved". And suprisingly you can see some files which are shown as "false" in "deleted" column but as "true" in the "carved" column. So, one can't help wondering how could a file be recovered from unallocated space but not be called as "deleted" by the forensic software.
Encase does not use the term "carved" for the files recovered from unallocated space. Instead it puts "unallocatedxxxxx.jpg" in the file name. And it does not use the term "carved" for files extacted from compound file like zip or rar file
So, as forensic examiners, consider carefully when you see and use the terms "carved" or "deleted", as they might not mean same things if you are not using same forensic software.
Regards,
There are many issues with both of the big forensic suites that have been documented on this and other sites.
now use X-Ways on the same images and watch how much better (finds more, less false positives, faster) it is than the tools you tested =)