NTFS Undelete (and leap year) Test # 1 ( WE passed )
tests were performed and correct the problems of finding deleted files with respect to NTFS File System. The 3.0 version of the TSK, will resolve the two exceptions (WE = With Exceptions), not resolved in Autopsy, which does not allow viewing of the files defined Orphans and Alternate Data Stream (ADS). The test was successful as you can see the image attached. We report for completeness la descrizione dell'immagine e il risultato di PTK.
"This test image is a 6MB NTFS file system with eight deleted files, two deleted directories, and a deleted alternate data stream. The files range from resident files, single cluster files, and multiple fragments. No data structures were modified in this process to thwart recovery. They were created in Windows XP, deleted in XP, and imaged in Linux. "
DFTT test image: http://dftt.sourceforge.net/test7/index.html
0 comments:
Post a Comment