I'm currently using X-Ways Forensics tool and would like to create a report showing deleted file details in a timeline in order to establish if the suspect deleted the files in an isolated incidence or wether it was a regular action taken by the suspect.
Has anyone used WinHex to produce such an extract or perhaps come across another product that performs the same kind of process.
Many thanks in advance Richard.
I'm currently using X-Ways Forensics tool and would like to create a report showing deleted file details in a timeline in order to establish if the suspect deleted the files in an isolated incidence or wether it was a regular action taken by the suspect.
Has anyone used WinHex to produce such an extract or perhaps come across another product that performs the same kind of process.
Many thanks in advance Richard.
any luck ?
did you tried X-ways forum?
Please update your findings on this.
Thanks
If the deleted files are found via NTFS MFT (or in recycle bin) then you should get some dates. But if the files are all found via direct carving on the disk then there will be no dates and no timeline possible.
Open registry in x-ways and then file export the particular registry that creats registry Report.html.
I'm currently using X-Ways Forensics tool and would like to create a report showing deleted file details in a timeline in order to establish if the suspect deleted the files in an isolated incidence or wether it was a regular action taken by the suspect.
What kind of file system are you looking at?
Hi Athulin,
I was referring to deleted files under NTFS in this case.
I was referring to deleted files under NTFS in this case.
Look at 'EnScript to parse USNJRNL' on the forensickb blog. That's probably as close as you can come with direct methods.
(Added Just in case … I'm not referring to recycled files, but truly deleted – files that have passed through the DeleteFile() or closely related functions).
> That's probably as close as you can come with direct methods.
I personally don't think any "EnScript" is needed or that they can be considered a "direct method" for users of X-Ways Forensics (or EnCase, for that matter).
You can view $UsnJrnl$J directly in X-Ways Forensics. And true deletion timestamps can also be deducted from $LogFile. This is done by X-Ways Forensics automatically when running the particularly thorough file system data structure search in NTFS volumes. The deletion timestamp column will be populated automatically for files for which a deletion timestamp can be deducted.
(And just in case, do not mistake timestamps in the "File Deleted" column in EnCase for true deletion timestamps.)
Greetings,
Would you be so kind as to elaborate on why one should not use EnCase's "File Deleted" times for true deletion times?
-David
Because they are (obviously in many cases or maybe always?) *not* true deletion times, of course, just the times when certain files were moved to a directory in the file system that the Windows operating system uses for a special purpose (as a recycle bin), and IMO that is just one example of awful misinformation in that software, to put it mildly.
Stefan
not EnCE