Join Us!

Recovery of files f...
 
Notifications
Clear all

Recovery of files from slack space / backtrack timelines  

  RSS
hvs-forensic
(@hvs-forensic)
New Member

Hello,
I’m working on a forensic case regarding to an abuse of an employment contract.
I have to prove, that a specific supplement to an employment contract was created / modified on a specific PC. I cloned the HDD and reviewed the image with a hex editor.

I’ve found fragments of the relevant contract text in the “free space / slack space” of the harddisc (with cluster number and offset address) and in the pagefile.sys (Windows XP/SP2). I’m not sure if the delinquent has saved the document on the harddisc or just has written and printed it on this PC without saving.

Now my question Is it possible to trace back my findings to dates? I’ve to proof that the special document was written / modified / printed before a special date. Am I able to restore these fragments to a Word document (I suspect he has used Word) to review the metadata?
I think MAC-times are not helpful in this special scenario (slack space, pagefile.sys) because the delinquent was fired one month ago and a colleague has worked on his PC the last moth…

Any ideas how to accomplish this?
Thanks for your help

Quote
Posted : 11/04/2006 6:23 pm
Share: