Hello,
I have a question regarding a timeline that was created by Autopsy. When I created the body file I used the default checks to gather the Allocated Files, Unallocated Files, and the Unallocated Inodes. Below is just a small sample from the timeline that I extracted. First some specifics, this is from an NFTS system and I have checke and the dates range many months (meaning that this issue is not just isolated to a small time frame.)
My question is why when I look at the timeline are all the entries for unallocated meta data. Meaning all the entries have a naming structure of image.dd-C3F762F2d01-dead-102146 for example. I would think that scattered throughout the timeline would be entries from Allocated files (dir commands, other files accessed, or modified). This is a normal users PC who does daily Windows activities.
Thu Mar 27 2008 121252 87399 m.. -rwxrwxrwx 0 0 102146 <image.dd-C3F762F2d01-dead-102146>
Thu Mar 27 2008 121253 17317 m.. -rwxrwxrwx 0 0 91178 <image.dd-A603A0E7d01-dead-91178>
67935 m.. -rwxrwxrwx 0 0 90264 <image.dd-D1AB25E6d01-dead-90264>
Thu Mar 27 2008 121257 20859 m.. -rwxrwxrwx 0 0 91221 <image.dd-5003CDE0d01-dead-91221>
Thu Mar 27 2008 123707 38674 m.. -rwxrwxrwx 0 0 105826 <image.dd-FE71F0EDd01-dead-105826>
Thu Mar 27 2008 131904 95656 m.. -rwxrwxrwx 0 0 91195
Thanks for your advice.
One thing I forgot to say is that it appears if "according to the timeline", all the activity are entries for unallocated meta-data structures.
Thanks again.