How do i make sure i am viewing all deleted word documents on an imaged drive when using FTK?
When i click the "deleted items" tab there doesn't seem to be an option to view deleted documents?
This should be simple and is annoying me (
thanks
Generally I would use the 'deleted items' tab as you mentioned and then sort by 'File Type' so that all the Word Documents are grouped together.
What is it that you are trying to achieve?
I click the "Deleted Documents" tab and then from the filter drop down list i can see "Emailed Items", "Encrypted Files" etc but no "Word Documents".
How do i simply view all deleted word documents using FTK??
and another thing, when i randomly scroll down the list of "Deleted Documents" anyway, and find a .doc extension and click on it all FTK reports is
"Nothing to view - Document empty".
How can all the .docs i click be "empty" ?
When i export the files and open them, they are indeed empty, but EVERY document seems very strange!
I'm yet to open one deleted document from the case containing data!? 😯
Help/Explanations very welcome!
Thanks
Any evidence of wiping software? Some software will wipe the file but not the MFT entry. That usually results in nice looking file names and blank documents.
You may have already tried this, but use the data carving function in FTK. Additionally, I have noticed that FTK will display that "…Document empty" message when the file is password protected. If the file is not password protected, then open the exported documents with a hex editor and see if you find anything.