I am doing a forensic exam on a suspect drive and all of the illegal images are showing they are located in the drivefreespace and under the areas of Created Date, Accessed Date, and Modified Date it just indicates N/A. Why is this? I need to prove that the illegal images were accessed during a certain time frame to connect them to the suspect, since it was not his computer, but only he had access to it during a particular time frame
It'll help if you can provide that tools you're using and the file system of the drive. As to the access question, is this a stand alone system or on a domain?
I am using FTK on an image of a hard drive, and the file system is NTFS
I am doing a forensic exam on a suspect drive and all of the illegal images are showing they are located in the drivefreespace and under the areas of Created Date, Accessed Date, and Modified Date it just indicates N/A. Why is this?
Because there is no entry in the MFT or associated INFO2 record that contains that information.
I need to prove that the illegal images were accessed during a certain time frame to connect them to the suspect, since it was not his computer, but only he had access to it during a particular time frame
Any link or thumbnail files that can point to this time frame?
And I guess I should add, have you searched for any INFO2 records that contain data that would suggest that the files were in the Recycle Bin during the time in question?