Misleading terms FT...
 
Notifications
Clear all

Misleading terms FTK and Encase "carved" vs "deleted"

3 Posts
3 Users
0 Likes
991 Views
(@yunus)
Posts: 178
Estimable Member
Topic starter
 

Hello all,

I have been comparatively using forensic software for quality purposes.

And today, I have noticed that FTK uses the terms "deleted" and "carved" very much differently from Encase. It uses the term "carved" when it extracts a file from an existing compound file. it is only extracted from an existing file, like zip or rar file. so The term "carved" here is misleading making us think that file is recovered from unallocated space. But it is not.

Secondly, FKT uses the term "carved" for files recovered from unallocated space, too. It is all right and just like what we expect to hear. But then there comes another confusion in terms of FTK's columns shown related to those files. In FTK there are two columns for files one is "deleted", the other is "carved". And suprisingly you can see some files which are shown as "false" in "deleted" column but as "true" in the "carved" column. So, one can't help wondering how could a file be recovered from unallocated space but not be called as "deleted" by the forensic software.

Encase does not use the term "carved" for the files recovered from unallocated space. Instead it puts "unallocatedxxxxx.jpg" in the file name. And it does not use the term "carved" for files extacted from compound file like zip or rar file

So, as forensic examiners, consider carefully when you see and use the terms "carved" or "deleted", as they might not mean same things if you are not using same forensic software.

Regards,

 
Posted : 16/06/2016 1:33 am
(@bithead)
Posts: 1206
Noble Member
 

There are many issues with both of the big forensic suites that have been documented on this and other sites.

 
Posted : 16/06/2016 6:46 am
EricZimmerman
(@ericzimmerman)
Posts: 222
Estimable Member
 

now use X-Ways on the same images and watch how much better (finds more, less false positives, faster) it is than the tools you tested =)

 
Posted : 19/06/2016 7:46 pm
Share: