Use of FTK Custom Carver DB to spot evidence tampering

General (Technical, Procedural, Software, Hardware etc.)

Last Post by akaplan0qw9 14 years ago

1 Posts

1 Users

0 Reactions

460 Views

RSS

akaplan0qw9

(@akaplan0qw9)

Trusted Member

Joined: 21 years ago

Posts: 69

Topic starter 09/04/2011 7:13 am

I'm considering putting together a set of FTK custom carver files for the commercial programs that purport to selectively delete files (evidence).

The type of custom carver files I am thinking about are those associated with such programs as "Evidence Eraser", "Secure Clean", "Evidence Eliminator", "Evidence Shredder", etc. etc.

With that database I would want to look for artifacts of the aforementioned files, not necessarily as evidence of deliberate evidence tampering/destruction, but more as a way of deciding whether or not additional work is needed in that area.

Has anybody used that approach? To what degree was it successful? Is there a different approach you would recommend?

Quote

Podcast: Well-Being In Digital Forensics And Policing: Insights From Hannah Bailey

Hannah Bailey shares her journey from frontline policin...

By Zoe , 2 days ago
RE: Android Forensics

Hi, Try decompressing the file using zlib in python. ...

By Dexter4n6 , 3 days ago
Interview: Neal Ysart, Co-Founder, The Coalition of Cyber Investigators

Neal Ysart shares how The Coalition of Cyber Investigat...

By Zoe , 3 days ago

8 Forums
15.7 K Topics
92.3 K Posts
17 Online
41.1 K Members

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed