mitch wrote:
This is an interesting topic for me, last week I had a small evidence E01. I was quite amazed at the results using different applications.
This enforced the understanding as a practitioner what is actually happening. Because the case was IIoC obviously images were of paramount importance.
Now for years personally the best carving tool i have come across is BLADE my own opinion, however its not like IEF. ( I do not personally know Graig BTW)
The first 2 results I did
Results
1. FTK = 0
2. IEF = 0
I then MANUALLY looked at the data, and soon realised that yep images should be there.
3. EnCase = 14
4. C4P = 16
5. BLADE = 32
The point im trying to make here is dont just click away with applications to FIND THE EVIDENCE do not depend upon applications ... Look, work it out, try other methods. If a application gives results that in your mind are not correct, then question this to yourself.
Your point is good - but it is also beneficial to understand what a particular tool does. I am only going to comment on C4P as I have done more work with that than others but one of the options with C4P for JPGs is to extract embedded thumbnails, this is turned off by default. Taking your stats at face value the discrepancy between Blade and C4P may just be that Blade is simply carving any jpgs that it finds (nothing wrong with this approach) whereas C4P (have a look at the enscript source) *could* be excluding the thumbnail.
↧