Tweet
Hi,
I set up a test xp workstation and then try to select a folder with data for deletion following by cleaning the recycle bin.
Running Osforensics, I looked at the deleted data. I noticed the access time did not correspond to the time I performed the deletion. The creation and modication date seems ok. I double check the xp windows registry and the access time stamp is not set to off.
I then tried to run the same disk with Autopsy. The deleted files recovered show the correct access time when I deleted the data. That means the access time is in the disk but was reported differently by Osforensics.
My question here is what access time stamp does the software used in reporting for the deleted data ?
Is there a simple way for me to use Osforensic to locate the mft table of the Magic file number of the deleted file and then I can perform some offset count to locate the time stamp to double check things ? Could it be that access the time stamps was used between S$FILE_NAME or $STANDARD_INFORMATION?
I set up a test xp workstation and then try to select a folder with data for deletion following by cleaning the recycle bin.
Running Osforensics, I looked at the deleted data. I noticed the access time did not correspond to the time I performed the deletion. The creation and modication date seems ok. I double check the xp windows registry and the access time stamp is not set to off.
I then tried to run the same disk with Autopsy. The deleted files recovered show the correct access time when I deleted the data. That means the access time is in the disk but was reported differently by Osforensics.
My question here is what access time stamp does the software used in reporting for the deleted data ?
Is there a simple way for me to use Osforensic to locate the mft table of the Magic file number of the deleted file and then I can perform some offset count to locate the time stamp to double check things ? Could it be that access the time stamps was used between S$FILE_NAME or $STANDARD_INFORMATION?
Comment