Forums
Main Category
General (Technical,...
EnCase help - Quest...
 
Notifications
Clear all

EnCase help - Question about status bar path display

 
General (Technical, Procedural, Software, Hardware etc.)
Last Post by crosser 15 years ago
5 Posts
5 Users
0 Reactions
594 Views
RSS
erowe
 erowe
(@erowe)
Estimable Member
Joined: 18 years ago
Posts: 144
Topic starter 18/06/2010 8:28 pm  

In the bottom left of the status bar there is an icon with a red underline coming up on the right (sort of like a one sided arrow lying down).

The file displays in folder A, but when it is clicked on the path displays to folder C which further analysis confirms is where the file actually resides.

EnCase shows all signature analysis as a match. What does the first entry in folder A represent? Is it link file, some other form of link? Or what else? I can't find info on this in the manual…


   
Quote
kiashi
 kiashi
(@kiashi)
Trusted Member
Joined: 19 years ago
Posts: 99
18/06/2010 10:18 pm  

erowe,
This could be when a file has been moved, i.e. it originally resided in folder A but has since been moved to folder C. Is this a FAT file system? If so then the directory entry holds the filename and it's starting cluster even if the file has been deleted the information may still be there (e5h as first byte of entry). EnCase resolves the information and has obviously found that both the file in Folder A and the one in Folder C have the same starting cluster. So quite possibly they are the same file.

EnCase clarifies this for you by showing you the Folder C path when you click on the file in Folder A as this is the physical location pointed to by the directory entry in Folder A but it currently belongs to a live file in Folder C and no longer to the file in Folder A.

I hope that explanation isn't too confusing….Friday afternoon here ?


   
ReplyQuote
JonN
 JonN
(@jonn)
Trusted Member
Joined: 20 years ago
Posts: 73
18/06/2010 11:58 pm  

Is it an overwritten file? Look in the Description column.

If it is then the information in the status bar is showing you which file overwrote the file you currently have selected in the table pane, which itself should have a sort of circled arrow icon (if that makes any sense)

You should be able to find more information on the icons on the EnCase board, or in the manual (although the manuals tend to be black and white)

Hope this helps


   
ReplyQuote
 96hz
(@96hz)
Estimable Member
Joined: 17 years ago
Posts: 143
19/06/2010 4:25 am  

To try and break it down as simply as possible

In the status bar you are seeing the overwriting file.

ie. the file you see in the table pane and select has been overwritten by the file you then see in the status bar.

The confusion is because it has the same filename, and may as kiashi suggests
be because the file was moved.


   
ReplyQuote
 crosser
(@crosser)
Trusted Member
Joined: 20 years ago
Posts: 56
19/06/2010 8:21 am  

Which version of EnCase is this?


   
ReplyQuote
Forum Jump:
  Previous Topic
Next Topic  
Share: