As stezer2000 pointed out I don't know my tools well enough and am really trying to get some more experience and know how. I have found myself irritated with FTK 3. I am working on a small thumbdrive image and have found some Excel spreadsheets. The spreadsheets were carved out of unallocated space.
Now, correct me if I am wrong, a file that is carved out of unallocated space will not have a file name or dates and times. FTK doesn't give me any as I expected, However, using the free PinPoint Metaviewer I get the author, the program that created the file and version, the date and time created, last saved, and the last saved by identity.
Why doesn't FTK get this info? Is there something I am not doing right?
The data is listed in a section with "OLE Metadata" at the top. The "File System Metadata" is at the bottom and lists the date and time it was exported from FTK as reported by my machine. What is OLE Metadata?
Now, correct me if I am wrong, a file that is carved out of unallocated space will not have a file name or dates and times. FTK doesn't give me any as I expected,
You will not get the original file name when you carve a file from unallocated space with any program. And there will not be dates in the file attribute columns in FTK.
However, using the free PinPoint Metaviewer I get the author, the program that created the file and version, the date and time created, last saved, and the last saved by identity.
OK
Why doesn't FTK get this info? Is there something I am not doing right?
probably because you are not looking at the metadata file. FTK sees the file, the metadata file, etc. as unique objects. I am not in front of an exam machine so I am not sure about carving options or how the files are listed once they are carved, however the file and associated OLE object should have similar names.
The data is listed in a section with "OLE Metadata" at the top. The "File System Metadata" is at the bottom and lists the date and time it was exported from FTK as reported by my machine. What is OLE Metadata?
In which program? FTK? I thought FTK was not showing metadata? Kind of jumping back and forth.
Object Linking and Embedding
Plenty written on OLE
Sorry, the OLE Metadata shows in Pinpoint. I am pretty sure I checked the box to carve for meta files in FTK but didn't see any returned. I have seen the seperate meta files that you are referring to in past examinations.