And X-Ways is perfect, right? )
No, but in my experience I can trust the results in X-Ways much more than the results in any of the other major tools.
Paul
I feel the same. I've used a fair few forensic tools over the past 8 years and X-Ways Forensics is the one I trust the most. In my experience its accuracy, speed and integrity are unsurpassed.
I feel the same. I've used a fair few forensic tools over the past 8 years and X-Ways Forensics is the one I trust the most. In my experience its accuracy, speed and integrity are unsurpassed.
Not to mention the excellent tech support…
SEMANTICS!
(Caveat; I use EnCase mostly, but I have attended the XWF course and am campaigning to get us some licences - it is amazing software)
The problem, specifically with "Deletion date", is that as forensic analysts we really have one name for two different "delete" operations - one for temporary deletion and one for permanent deletion.
Is EnCase incorrect for dating the temporary deletion of a file as the "Deletion Date"? No, it is not. The operation in Windows is called "Delete". You press "Delete" or choose "Delete" from the context menu to do it. The confirmation dialog box is called "Delete File" in Windows 7 and "Confirm File Delete" in Windows XP.
But man, Linux! Bet that doesn't do these shenanigans. Well, Ubuntu removes the file to the Trash if you press the "Delete" key. If you use the context menu it does only give you the op[tion to "Move to WasteBasket", though, which is strictly correct. BUT when something is moved to the Trash, a corresponding .trashinfo file is created, and what do we find in there? Why, a "DeletionDate" key! )
Also, check this quote out from the official documentation for Ubuntu
When you delete an item it is moved to the Trash folder, where it is stored until you empty the trash.
(
So really, the operation the user is performing is "delete", and so therefore the "File Deleted" column is, technically, correct. If a forensic examiner uses this date and says in his report "the user deleted myfilth.jpeg at 1410 on 16th May 2011", is this untrue? No.
(Of course, they should also discuss the Recycle Bin)
But, yeah - SEMANTICS!
And while we're on the subject of CF terms, XWF is hardly safe from this - if you go on the CF Foundation course at Cranfield you get a stern warning if you refer to unallocated clusters as "free space" 😉
(edit; neatened up the post and corrected spelling)
(For explanation, when it comes to what operation should be called deletion or not, or what cluster is free or not, X-Ways Forensics adopts the point of view of the file system. The file system has a universally understandable unambiguous system to classify a cluster as either in use or free. Everyone can check, and it does not change any more in a dead forensic disk image. On the other hand what clusters *EnCase* classifies as "unallocated" depends on how successful *EnCase* has been so far in finding deleted files, and that classification can change during the examination, so I can't think of a more unclear definition and avoid that term at all cost, it has been misused for a too long time.)
Personally I am more than comfortable with the term "free space". )