SANS Digital Forensics and Incident Response Blog: Tag - file format

Dates from Unallocated Space

By John McCash

A recent podcast I listened to (Forensic 4cast - Well worth the time to listen to it) made a statement which I took as an implication that files recovered from unallocated space were useless in most investigations because they lacked the filesystem metadata, specifically the MAC times. While it's true that the lack of this data can be a significant handicap, I disagreed rather strongly with that, and my disagreement forms the basis for this blog entry. I did follow up with Lee (Hi Lee!) at Forensic 4cast, and such a blanket implication was unintentional. Nonetheless, I think it worthwhile to enumerate for the community a number of points to consider when sieving through unallocated space.

Dates in particular, as well as other file metadata, can be extracted from many file types. Additionally, often filesystem


Windows Viewers & Information Extractors for Various File Types

I'd been doing a bit of work with EnCase to optimize my configuration and minimize the amount of work required to view various file types or extract specific data from them. The results from this are a list of applications and a few associated options for use in employing them as viewer plugins for your forensic tool of choice.