computer forensics
May 12, 2008, 12:35:22 AM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Welcome to the new ForensicExams.org Computer Forensics Forum.
 
   Forum   Help Search Calendar Login Register  
Pages: [1]
« previous next »
  Print  
Author Topic: INFO2  (Read 978 times)
0 Members and 1 Guest are viewing this topic.
David B.
Newbie
*
Posts: 21


View Profile Email
« on: June 14, 2007, 02:12:42 PM »
There are always lots of places to start a case.  So of my fellow examiners start at looking at all of the images in a case.  I guess this is a hold over from our old ICAC days.  However somewhere near the top of everyone's list should be the info2 file.  This is the windows life that keeps track of what was placed in the recycle bin and when.  Encase and FTK both provide the native ability to parse this very important file.  The easiest is probably FTK.  It is really as easy as loading the case.  Then going to the explore tab, sorting all of the file names and then looking for info2.  FTK displays your information is a quick and easy to understand format in the top right hand panel.  With Encase you have to sweep stuff and cremoved around - but you can get there.

Just a few notes from an Examiner

David
Logged
Pages: [1]
  Print  
« previous next »
 
Jump to: