It sounds to me like there are multiple artifacts all pointing to the same data. Say, an MFT record from the $MFT and an MFT record from the $Logfile. There aren't two separate files - it could simply be a display issue in FTK implying more than one file.
Per the FTK user manual quote above, it found a file that contained folder information, an $INDX structure, and parsed it for you.
I have a puzzling forensic case where image files with identical filenames have identical timestamps (Modified, Accessed Created) where one copy of the file was recovered with Metacarving from the identical file location (folder).
Let's see…NTFS on Vista.
So…the timestamps in which attributes are identical? $STANDARD_INFORMATION? $FILE_NAME? Both?
How about the record numbers? Are they also identical?
How can this be?
Did you create a timeline of system activity, using data sources such as file system metadata, Windows Event Logs, Registry metadata, Prefetch file metadata, etc? This might provide you with some context.
Even if the file was copied in the same folder location and one copy deleted I would expect some shift in the Timestamps…
Okay, but *which* time stamps? An MFT record with a $STANDARD_INFORMATION attribute and one $FILE_NAME attribute has 8 time stamps. Each additional $FILE_NAME attribute is another 4 time stamps.
The timestamps are identical to one second, according to the forensic case file. I have no reason to distrust the software…
Yeah, you do…depending upon which software it is.
You can always retrieve the records from the MFT itself and parse them by hand.
…although I haven't tried comparing UTC timecode records. I can't recall if there are any UTC timecodes in the MFT (more homework)
Can you elaborate on that last sentence a bit?
I concur with keydet89 "Did you create a timeline of system activity, using data sources such as file system metadata, Windows Event Logs, Registry metadata, Prefetch file metadata, etc? This might provide you with some context."
Perhaps look at using FSPro Labs' Event Log Explorer (http//
Within Event Log Explorer, one can filter the various event logs by "User" or SID to attribute activity to the correct Windows user account.
You should be able to find a record of Winzip being installed and then being run (executed) chronologically prior to the image files' metadata for example if you suspect that the image files were extracted from an archive file.
Basically, some other program and related user activity caused the image files to exist where you found them, so the event logs might give you this visibility.