Home

The forensic report produces a comprehensive summary of any recovery. If gives details of all operations performed on a disk.  In a typical case a forensic recovery may consist of disk imaging, and also recovery in possibly more than one method.  All these results can grouped into a single, comprehensive report.  The report is saved as an XML document (and XSL style sheet) so that it can be edited, and customised in Word, or just viewed using a Web viewer, such Internet Explorer.  To copy the report to a different PC, it is essential to also copy the for_report.xsl in the style subdirectory.

The job name and operator are entered on the first CnW screen.  It is a good discipline to set this up for each new job.  However, as jobs can be selected by hand in the operations list box, this is not essential.

The details included in the report are as below

Disk report

The disk report is a very simple summary of the job.  It includes the data and time of the operation, disk format, and recovery mode. The media type (eg disk file image) and the media serial number.

Disk imaging

For disk imaging, the start and end sectors are displayed, along with the MD5 hash value.  This can be very useful if the image was not complete, and part of an incremental backup.

Disk recovery details

This section gives the basic details on the recovery.  It includes which options were used, and basic file system parameters, such as cluster size and MFT start location.

Extension to signature match

This section displays all file extensions found on the disk.  It then corrolates them with the file signature found.  For a good conditiion disk, for a known file such as .jpg one would expect all files to have a known signature.  If this value is not the same it indicates either a different file type, or that the files have been corrupted (or maybe deleted).

This report will high light files that have incorrect signatures for the extension.  It could be a deliberately renamed file in an attempt to hide it.  Thus if JPEGs were renamed .DOC, there woud be a lot of .DOCs with failed signatures

There are three posible results of this test

• Signature match - the extension matches the signature of the file
• Signature different - the extension does not match the signature found.  ie a file signature has been found, but not for thisi extension
• Signature unknown - the extension does not have a known signature

Deleted file overwriting

When a file is deleted the area can be overwritten by a later file.  This part of the report will test each file where the signature and extension do not match and find if another file has been written over the start of the deleted file.  If so, the deleted file name, overwriting file name, and the date of the overwritting file will be displayed.

To help keep the report a sensible length, .tmp files are not tested

Signature to extension test

This report is similar to the report above, but starts from the file signature rather than the extension.  Again, it will be useful in finding renamed file extensions.  If JPEG files were renamed .DOC, then this report would show a lot of JPEGs with incorrect signatures.

Keyword details

If keywords have been searched for the Keyword details give a brief summary.  It will show the key word, along with the number of files it has been found in, and the total number of instances.