Forensic-Trace feature of ReclaimePro

[harry77]

Hello,

unter https://www.reclaime-pro.com/manual/forensic-trace.aspx the following is written:

->In ReclaiMe Pro, you can get forensic trace file(s) for the recovered files in .CSV format.
->This feature allows you to know where file metadata like timestamps and file content
->are located on the storage device you are investigating.


Question:
Why it's of importance for a forensic examiner to know where metadata like timestamps and file content are located on the storage device?


Any feedback is appreciated very much. Thank's!

Harry

[Arch Stanton]

In data recovery to put it simply, you just want the data. And so does client. Where you got it, how you got it and all that is irrelevant.

In forensics knowing where a file was, at what time created etc. etc. may be even more relevant than the actual file contents, or equally important. For example, If I am accused of having for example typed some threat, or having forged a document at some time and place, such trace evidence might prove the document was crafted during a time said PC was not in my possession and thus relevant.

Anyway, ReclaiMe Pro didn't always have this feature, it was requested/suggested by someone working in forensics.

Another example: I was once asked to make a jpeg readable (it is was 90% gray) for a forensic case which I did. I was asked a detailed report about what I did and video record the repair so that the forensic guy could tie the file I produced was in fact the same file he pulled from some storage device. IOW, he had to document everything, where he got the file, how he got it and how I repaired it. In such cases this trace information seems vital to me.

Disclaimer: I am not working in forensics, I used my imagination while answering the first example, the second did happen.

[harry77]

Thank you very much Joep for this qualified answer. It does really help me to understand this feature!

Best regards,
Harry

[okton]

I do not work with forensic, but this sounds like ad mumbo-jumbo. Whatever they define "where" if I were working for forensic I would the tool to show where information comes from. Then I could combine information from different sources for final report.

[terminator2]

I have brought reclaim me when it was launched , since then I have only used it once. Its too CPU intensive & I did not find anything special .
I was not satisfied by fancy front end and layout.

[Arch Stanton]

I do not work with forensic, but this sounds like ad mumbo-jumbo. Whatever they define "where" if I were working for forensic I would the tool to show where information comes from. Then I could combine information from different sources for final report.

What exactly do you qualify as mumbo-jumbo? As I said I don't work in forensics but I think anyone who does will tell you chain of evidence is holy. That means a tool must log everything it got and how it got it and where it got it from. A file submitted as evidence must be traceable back to the source, every step of the way.

[Arch Stanton]

I have brought reclaim me when it was launched , since then I have only used it once. Its too CPU intensive & I did not find anything special .
I was not satisfied by fancy front end and layout.

Yes, I agree, it's too resource hungry.

[okton]

A file submitted as evidence must be traceable back to the source, every step of the way.

Thats my point, this prerequisite for forensic tool, so if they are advertising this as unique feature, that means "ad mumbo-jumbo".

[Arch Stanton]

A file submitted as evidence must be traceable back to the source, every step of the way.

Thats my point, this prerequisite for forensic tool, so if they are advertising this as unique feature, that means "ad mumbo-jumbo".

I don't see it, where they label this as unique. They just describe a reporting feature of the program. I happen to know it was explicitly requested by someone working in the forensic field.