±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36738
New Yesterday: 0 Visitors: 147

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Recovery of files from slack space / backtrack timelines

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

hvs-forensic
Newbie
 

Recovery of files from slack space / backtrack timelines

Post Posted: Apr 11, 06 17:23

Hello,
I’m working on a forensic case regarding to an abuse of an employment contract.
I have to prove, that a specific supplement to an employment contract was created / modified on a specific PC. I cloned the HDD and reviewed the image with a hex editor.

I’ve found fragments of the relevant contract text in the “free space / slack space” of the harddisc (with cluster number and offset address) and in the pagefile.sys (Windows XP/SP2). I’m not sure if the delinquent has saved the document on the harddisc or just has written and printed it on this PC without saving.

Now my question: Is it possible to trace back my findings to dates? I’ve to proof that the special document was written / modified / printed before a special date. Am I able to restore these fragments to a Word document (I suspect he has used Word) to review the metadata?
I think MAC-times are not helpful in this special scenario (slack space, pagefile.sys) because the delinquent was fired one month ago and a colleague has worked on his PC the last moth…

Any ideas how to accomplish this?
Thanks for your help  
 

Page 1 of 1