Stefan,
I wish this forum had a 'like' button I could click!
one example of awful misinformation in that software
I'm not here to stick up for Guidance, or anyone else for that matter, and I'm not here to have a go at anyone, but surely a lot of misunderstanding that comes about from the information that forensic software shows is down to lack of knowledge from the examiner, either about the file system they are examining or the software they are using (respectfully, none of it is self explanatory)
In every piece of software there are columns that give pieces of information that can be taken in different ways, but surely it is down to an examiner to have enough knowledge about where the forensic software gets that piece of information from to be able to make an informed decision about it.
In every piece of software there are columns that give pieces of information that can be taken in different ways, but surely it is down to an examiner to have enough knowledge about where the forensic software gets that piece of information from to be able to make an informed decision about it.
From the EnCase help
[The] File Deleted [column] shows the deletion time and date of files associated with a Recycle Bin record.
From the X-Ways manual
Deletion*
The date and time the file or directory was deleted. Available generally on Linux filesystems and possibly on NTFS (after a particular thorough file system data structure search and viewing/previewing the $UsnJrnl$J file on the volume, if there is any). Not to be confused it with so-called deletion timestamps that other forensic tools may show you on NTFS volumes, for files that have not even been deleted from the file system.
Analyst, know thy tool!
Paul
one example of awful misinformation in that software
I'm not here to stick up for Guidance, or anyone else for that matter, and I'm not here to have a go at anyone, but surely a lot of misunderstanding that comes about from the information that forensic software shows is down to lack of knowledge from the examiner, either about the file system they are examining or the software they are using (respectfully, none of it is self explanatory)
In every piece of software there are columns that give pieces of information that can be taken in different ways, but surely it is down to an examiner to have enough knowledge about where the forensic software gets that piece of information from to be able to make an informed decision about it.
Agreed, but I think it's reasonable to expect what EnCase refers to as "deletion time and date" to be the deletion time and date. As such, I agree with Stefan; its misinformation on EnCase's part.
Which leads to the question, how many times has this misinformation gone towards finding people wrongfully guilty/not guilty?
But how is it misinformation when the user guide tells you what it means, and anyone who has attended CF2 (or Intermediate as it used to be called) is taught what it means?
If that information has been used to wrongfully convict/not convict people, then that's down to the examiner and not the tool.
I can understand it's possible to argue like that, but it's quite hard.
The user interface says it's a deletion date, but it is not.
The user interface describes a folder as an archive, but it is not.
The user interface says an e-mail address is a folder, but it is not. (http//
The user interface says an e-mail address is a DOS executable file, but it is not.
The user interface says a partition is "C", but it is not.
The user interface says that $BadClus$Bad has a physical size of … bytes, but it has not.
The user interface says in the main window caption it's "Forensic", but …
I'm biased.
Stefan
And X-Ways is perfect, right? )
Sadly I'm not an X-Ways user so I can't say, and as I've said I'm not here to stick up for Guidance.
The whole point of the issue that I appear to have raised is that what a piece of forensic software shows you means 'something', they don't just pluck a date and time out of the ether for the sake of it, the information comes from somewhere, but it's very much down to an examiner to know WHERE that particular piece of information comes from and so knows how to use that piece of information.
The File Deleted time means something right? It's not just plucked out of nowhere, and the user manual tells you where it comes from, so that you can put it into the correct context. You personally may not agree with them calling it that, but that's something you need to take up with them, I'm happy with them calling it that as long as I'm happy I know what it really means and where the information comes from, in the same way that in any other piece of software I know what all their columns mean and where the information comes from.
It's still down to an examiner to know how their tool works.
But how is it misinformation when the user guide tells you what it means, and anyone who has attended CF2 (or Intermediate as it used to be called) is taught what it means?
As it's reasonable to expect that what it says is what it means; if it doesn't then it misinforms. Whatever software people use we know what they mean on referring to 'logical size', 'MD5 hash', 'unallocated areas', 'created date', 'modified date' and so on. To have to wring sense out of a 14 word 'defintion' in the manual or fork out £2k on a course to learn a parallel set of definitions to accepted terminology is counter-intuitive (if not plain daft).
Then I guess it comes down to perspective and maybe what you're used to.
Ok, I'm an EnCase man, it's what I predominantly use in my environment, because it's what we've always had. The File Deleted column is only populated in specific circumstances, so you'd have to say that the majority of the files that you'd look at wouldn't have this time showing anyway, so there wouldn't be an issue raised as to what that time meant.
Surely in order to get the best out of any software, it's best to read the manual (or at least know where the manual is to refer to!!) and to get training, then we'd get to know what that software meant by File Deleted.
Now, if I was to buy another piece of software and find that after doing some stuff, there was a column that said 'Deleted' and had times populated, I'd maybe scratch my head and wonder what it meant and where it came from, at least from the perspective of what I'm used to, and if I had a manual I'd go off and read it (50+ words if Paul's post is correct). I don't know how much training courses cost for this other product, but I'm guessing they're not free, so I'd still have to pay something to learn properly what it meant.
It's semantics to a large degree, and we'll probably have to agree to disagree.
The fact still remains that examiners should have sufficient knowledge of the tool and where it's getting it's information from, something we all seem to agree on.
And X-Ways is perfect, right? )
No, but in my experience I can trust the results in X-Ways much more than the results in any of the other major tools.
Paul