Hi,
I'm currently analysing a hard drive for a university assignment and was wondering if anyone could help me. I have analysed this hard drive in both FTK and then in Autopsy to verify my results, however, when analysing Autopsy I have found a whole section on web history that in FTK, the file path doesn't exist. This is for Google Chrome, Internet Explorer and Firefox. The MD5 hash values are the same within both of the software. Would this be classed as an anomaly, or does FTK not support web browsing history? If it is the latter, are there any suggested web history software which i could use to verify this piece of evidence?
Welcome to the real world.
Tools are just tools and it is fairly common for different tools to produce different results.
Ultimately you want to understand how to view a disk with a Hex editor to establish why the results may not be exactly what you are expecting.
You must be smarter than your tools. It is fine to use programs to help you do your work faster, but you must know what is going on behind the scenes. You should be able to verify what they see, and from where.
Thus, my advice isn't to come ask us, it's to delve into the file system and find out what one tool is seeing that the other does not. Is one creating false positives? Is one missing artifacts? We can't say because we don't have the data in front of us.
Remember, it is YOU, not your tools, that will end up on the witness stand.
Remember, it is YOU, not your tools, that will end up on the witness stand.
Hah! twjolson, it is here that I confirm you to be a true forensic practitioner rather than some security boffin that uses forensic tools.