Improved Handling of Recycle Bin Files #2127
Comments
|
Thanks @clementepaixao for the suggestion. At first I prefer the second option, to avoid hiding the real file system information. But the application already does much more complex transformations on some kinds of data and it would be more user friendly to non tech users. Not changing the FS info would be aligned to a future Metadata refactoring, proposed on #1195, where FS info would be prefixed with a fs: prefix. But it is a backwards incompatible change, possibly for iped 5.0, which is currently not scheduled to the near future. |
|
Opinions from other DEVs about which approach would be better? |
|
I prefer the second option. |
|
@markmckinnon, one of Autopsy main developers, sent below suggestion to me privately and allowed me to share it here, thanks Mark! "What we do is parse the recycle bin metadata and create a data artifact for it. We then add the file back into the Files system as a deleted file so that the investigator can also see the file where it was deleted from and what files are around it. I believe this gives the best information to the examiner" |
I have a case with multiple files of interest in the Windows Recycle Bin that can be identified by their original name. To search for them, I had to manually look for the $I of each file and check its content.
IPED marks these files as active (places them in the Recycle Bin category) and only identifies the files with the names $RXXXXXX (content) and $IXXXXXX (metadata, including the original name).
In the file system these files are active, but for the user they are deleted, which can lead to misinterpretation. Perhaps their deleted flag should be turned on.
Suggestions:
I prefer the first suggestion but the second one looks simpler and would solve most cases.
The text was updated successfully, but these errors were encountered: