May 24th, 2023, 10:06
Hello,
unter
https://www.reclaime-pro.com/manual/forensic-trace.aspx the following is written:
->In ReclaiMe Pro, you can get forensic trace file(s) for the recovered files in .CSV format.
->This feature allows you to know where file metadata like timestamps and file content
->are located on the storage device you are investigating.
Question:
Why it's of importance for a forensic examiner to know where metadata like timestamps and file content are located on the storage device?
Any feedback is appreciated very much. Thank's!
Harry
May 24th, 2023, 16:24
In data recovery to put it simply, you just want the data. And so does client. Where you got it, how you got it and all that is irrelevant.
In forensics knowing where a file was, at what time created etc. etc. may be even more relevant than the actual file contents, or equally important. For example, If I am accused of having for example typed some threat, or having forged a document at some time and place, such trace evidence might prove the document was crafted during a time said PC was not in my possession and thus relevant.
Anyway, ReclaiMe Pro didn't always have this feature, it was requested/suggested by someone working in forensics.
Another example: I was once asked to make a jpeg readable (it is was 90% gray) for a forensic case which I did. I was asked a detailed report about what I did and video record the repair so that the forensic guy could tie the file I produced was in fact the same file he pulled from some storage device. IOW, he had to document everything, where he got the file, how he got it and how I repaired it. In such cases this trace information seems vital to me.
Disclaimer: I am not working in forensics, I used my imagination while answering the first example, the second did happen.
May 30th, 2023, 10:16
Thank you very much Joep for this qualified answer. It does really help me to understand this feature!
Best regards,
Harry