Hello Everyone,
A few more details....
The suspect , while no longer working in the Computer Science field, he used to be a programmer in the 90's. So there is a potential that he was familiar with FAT32 and used his knowledge to hide these files. *As a side note... I am attempting to obtain a forensic image from a 128GB thumb drive for this same case... and I am running into issues also... it could be coincidence... or that every piece of evidence seized will be a challenge and not your regular "I save everything into cataloged folders on my desktop" type of case...
To answer the question about the FTK error... I will be reaching out to AD to confirm. When I navigate to the Documents folder, I get the error, but the directory is still displayed. I can still see the data contained within, which includes CP. However, I cannot say whether that is all the data, or not.
Also... to answer a previous question, I see FAT1 and FAT2 among the tables. Along with VBR.
I will review all of these suggestions in more detail and see what else I can come up with.
Maybe I'll be able to post some of the HEX I see on the root and VBR in the upcoming days.
Thanks Again.
↧
