Use of FTK Custom Carver DB to spot evidence tampering
I'm considering putting together a set of FTK custom carver files for the commercial programs that purport to selectively delete files (evidence).
The type of custom carver files I am thinking about are those associated with such programs as "Evidence Eraser", "Secure Clean", "Evidence Eliminator", "Evidence Shredder", etc. etc.
With that database I would want to look for artifacts of the aforementioned files, not necessarily as evidence of deliberate evidence tampering/destruction, but more as a way of deciding whether or not additional work is needed in that area.
Has anybody used that approach? To what degree was it successful? Is there a different approach you would recommend?