Many forensic investigations will scan a complete hard disk for possible interesting strings. The result will be that the string is found in several sectors, but then there is the problem of discovering which files these sectors relate to.
CnW recovery software has a feature within the log to provide an answer to this question. As CnW retains all locations of file fragments, the sme information can be used to discover if a sector is used within any files. This with thelog, the user can search for a specific sector and it will indicate if it is part of a file, or even files. A sector can be marked as part of several files if one has been overwritten by a later file.
If the sector is not part of a file, then it indicates that the data has been found in unallocated space - whch can of course be carved to obtain possibly useful files
No comments:
Post a Comment