Hi to everyone here. I’ve been using Autopsy / TSK since 2003 (Excellent work by Brian and everyone else who contributes) .
I have come across an issue which is concerning but I cannot get to the bottom of. I have created an image with RapidSpar ver RS3.50d, then created a case with Autopsy 4.19.3 created on Windows 10 x64 ver 21H2 Build 19044.1620. CPU AMD Ryzen 7 4800H 2.90 GHz, 24GB Ram.
Every case is stored in it’s own unique folder, referenced with the hard drive model and serial number.
Upon examining the carved files I noticed some JPEG files I had seen recently.
A quick visit to a previous case confirmed some of these JPEGs in the latest Autopsy case, are actually from a previous case and in no way related to this one I am trying to work out where the contamination has occurred. Any ideas or suggestions welcomed. The files seem to appear when Autopsy is reading offsets marked as corrupted / unrecoverable that weren’t able to be retrieved during imaging. Given how reliable this software it is possible it’s user error. Hopefully nothing too embarrassing
Thanks from Eddie
Ok wow I can’t figure out how this could have happened.
- Are the JPEGs carved files in both cases?
- If you restart your machine before opening either case, do the JPGs still appear correct?
Carved files are stored as offsets into your disk image so I’m confused about how JPGs from the other image could be loading after a reboot. These are definitely files in the $CarvedFiles folder?
If your disk image isn’t compressed (i.e., not an .E01), you could try to open in a hex editor and see what’s at the offset it claims contains the jpg. In your case folder, look for a file similar to ModuleOutput\PhotoRec Carver\1_03-31-2022-08-56-17-0294\Unalloc_1_0_10663423\report.xml and find the entry that matches your jpg’s name (there could be several folders with similar files - just check them all). Here’s the entry for a carved JPG in a sample image and the corresponding bytes in the image:
You could potentially try moving the disk image to another drive, restarting windows, and then reloading the case. You’ll get this prompt telling you the image is missing and you can direct it to the new location. It seems like if you do this there should be no way it could access the other image data by accident, though I also don’t think we could be reading beyond the current disk image - it would throw errors.
Is it reproducible? If you restart windows and make a new case and just run PhotoRec, do you still see the JPGs from the other image?