Hi,
What is your opinion for N/A for a file (not folder) date and time in software based reports, FTK, Encase, or whatever else. Say Win XP.
Time can't be pulled from MBR/MFT?
File was carved?
Thanks all.
Files may be given N/A for a number of different reasons and it depends on the analysis software you are using combined with the file system it is parsing.
If the file remnant does not have all the associated metadata then you may get an empty field or an N/A depending on the tool you are using. Reading the manual thoroughly (and possibly attending the very expensive training) is always a good idea.
A good understanding of the underlying file system never goes amiss either. Try the book by Brian Carrier to help you in this regard.
Carved files are another issue entirely. I have managed to provide provenance for files from unallocated space on just one occasion (the evidence fairy visited me on that day). Most of the time this is just a waste of time because the remaining artefacts (if there are any at all) don't provide enough provenance to satisfy the courts.
Paul
Thank you for your reply.
I already read the manual years ago, and rechecked it recently and didn't find anything. I mentioned 2 of the names as Encase and FTK, but I guess you can broaden that to X-Ways.
I can understand one field being missing from metadata, but I'm speaking more towards the big 3 all being N/A
Files may be given N/A for a number of different reasons and it depends on the analysis software you are using combined with the file system it is parsing.
If the file remnant does not have all the associated metadata then you may get an empty field or an N/A depending on the tool you are using. Reading the manual thoroughly (and possibly attending the very expensive training) is always a good idea.
A good understanding of the underlying file system never goes amiss either. Try the book by Brian Carrier to help you in this regard.
Carved files are another issue entirely. I have managed to provide provenance for files from unallocated space on just one occasion (the evidence fairy visited me on that day). Most of the time this is just a waste of time because the remaining artefacts (if there are any at all) don't provide enough provenance to satisfy the courts.
Paul
If a file is carved then there is no associated MFT (or FAT or Cat) entry for the file. Dates are stored in the MFT and hence I suspect the reason for N/A.
What do you mean by the Big 3? Is this the types of dates, modified, created, accessed? - or have I misunderestood your question?
Some files do contain internal dates, a good example is a JPEG. Forensically this has to be treated with care as it is the date from the camera, which may or may not have a valid time, and not the date it was put on the hard drive.
In summary, carving means no file metadata relating to times placed on the hard drive.
Time can't be pulled from MBR/MFT?
File was carved?
It entirely depends on the software in question(Encase,etc…), the file system and the artifact (file/folder/deleted file).
There may also be times when a normal file, say on NTFS which should have 4 timestamps, no matter what software you view it in, shows only 1 or 2 or none. This may be due to data corruption and the value for that date being invalid. This is true for deleted entries, where there is no guarantee of the data being correct.
In summary, carving means no file metadata relating to times placed on the hard drive.
What I was trying to say but much more succinct and clearer )
Paul