Use of FTK Custom C...
Clear all

Use of FTK Custom Carver DB to spot evidence tampering  


I'm considering putting together a set of FTK custom carver files for the commercial programs that purport to selectively delete files (evidence).

The type of custom carver files I am thinking about are those associated with such programs as "Evidence Eraser", "Secure Clean", "Evidence Eliminator", "Evidence Shredder", etc. etc.

With that database I would want to look for artifacts of the aforementioned files, not necessarily as evidence of deliberate evidence tampering/destruction, but more as a way of deciding whether or not additional work is needed in that area.

Has anybody used that approach? To what degree was it successful? Is there a different approach you would recommend?

Posted : 09/04/2011 7:13 am