Join Us!

EnCase: Recycle Bin...
 
Notifications
Clear all

EnCase: Recycle Bin $I file Deleted Timestamp  

  RSS
ckwongkennyw
(@ckwongkennyw)
New Member

Hi all,
Would like to ask if the deleted timestamp in the $I file in UTC/GMT? Does that mean that when using Windows Date/Time option to decode, I need to apply the timezone offset to the time decoded in order to arrive at the correct local time?
Thank you.

Quote
Posted : 05/10/2019 4:11 am
deeFIR
(@deefir)
Junior Member

Deleted date/time is in UTC.

ReplyQuote
Posted : 05/10/2019 5:54 am
ckwongkennyw
(@ckwongkennyw)
New Member

When I view the result of the Evidence Processor, the deleted time is the timestamp of the file (decoded by Windows Date/Time) -11 hours. But suppose it should be timestamp of the file -6 hours if it is UTC. My evidence file is UTC-6.
Does that means the result of the evidence processor is wrong?
Thank you.

ReplyQuote
Posted : 05/10/2019 3:27 pm
hommy0
(@hommy0)
Member

Hi,

Can I ask where are you viewing the deleted time and date?

Also have you set the timezone for the piece of evidence (prior to running the evidence processor)?

Further if you look at the "File Deleted" time and date stamp column does that provide the correct value (since this has been decoded from the $I), Further to that the original path column has also been decode from the $I

Regards

ReplyQuote
Posted : 07/10/2019 10:16 am
ckwongkennyw
(@ckwongkennyw)
New Member

Hi hommy0

I view it in the Artifact view and I have already set the timezone for the piece of evidence before running the evidence processor.

ReplyQuote
Posted : 07/10/2019 3:38 pm
hommy0
(@hommy0)
Member

Hi,

How does the time and date in artifact view correspond to that of the “File Deleted” time and date stamp column of the main table view for entries?

Also Case Analyzer can provide a view of the $I deleted time and date stamp.

It will be of benefit to post this query on the opentext mysupport for EnCase Forensic (or endpoint investigator). This can be found on the security forum.

Regards

ReplyQuote
Posted : 07/10/2019 8:44 pm
Share: