EnCase: Recycle Bin $I file Deleted Timestamp
Would like to ask if the deleted timestamp in the $I file in UTC/GMT? Does that mean that when using Windows Date/Time option to decode, I need to apply the timezone offset to the time decoded in order to arrive at the correct local time?
Deleted date/time is in UTC.
When I view the result of the Evidence Processor, the deleted time is the timestamp of the file (decoded by Windows Date/Time) -11 hours. But suppose it should be timestamp of the file -6 hours if it is UTC. My evidence file is UTC-6.
Does that means the result of the evidence processor is wrong?
Can I ask where are you viewing the deleted time and date?
Also have you set the timezone for the piece of evidence (prior to running the evidence processor)?
Further if you look at the "File Deleted" time and date stamp column does that provide the correct value (since this has been decoded from the $I), Further to that the original path column has also been decode from the $I
I view it in the Artifact view and I have already set the timezone for the piece of evidence before running the evidence processor.
How does the time and date in artifact view correspond to that of the “File Deleted” time and date stamp column of the main table view for entries?
Also Case Analyzer can provide a view of the $I deleted time and date stamp.
It will be of benefit to post this query on the opentext mysupport for EnCase Forensic (or endpoint investigator). This can be found on the security forum.