Wednesday, March 19, 2014

Daily Blog #269: Cool! When did FTK start doing that? #1 Create/mod dates of Carved PDFs from PDF metadata

Hello Reader,
          Occasionally in our work we stumble across new features from our tools that suddenly makes our lives easier. A long time ago I blogged about when FTK made the 'export lnk metadata' option available which made our lives so much easier. Today I want to talk about something else they just kinda put in and don't know when.

FTK is now correctly parsing out the creation and modification dates (if they exist) from carved pdf files and placing them in the correct fields within the interface. This may sound simple and apparent but for a very long time any carved file within FTK would have no time entries as well, they had no file timestamps... they were carved. What we saw this week was for those files that have timestamps within their metadata FTK is starting to pull this out in the processing of the carved file and sticking them into their relevant timestamp location.

Does this sound simple? It is, but it can be a huge time saver! Here is an example. I have a pdf file that I'm looking for an image that has been deleted and is no longer recoverable from all the usual locations (recycle bin, mft deleted file record, shadow copy, etc..) so I have to carve to find it. I know the date the file was created on the system as I still have a shellbag from the desktop access of the file, but I believe that it is a scanned image stored in a pdf. This presents a problem as I can't just do a keyword search for what I think the file contains as its an image.

You could try to OCR all of the carved pdf's and then search for keywords, but calling the OCRing of carved data (which may be incomplete and curropted) failure prone is being kind. So instead I was able to filter my file list for carved pdf's and then sort by create date. Boom there was one carved pdf created on the same day as the shellbag entry pointing to it. A quick preview of the file within Adobe Reader and I had what I was looking for.

So the next time you are what appears to be a huge lake of carved data trying to find a file interest, check to see if the tool you are using is exposing the dates stored within the document metadata it could be your ticket to a quick resolution.