Knowledgebase: E3
Defining NTFS Filesystem Evidence Settings
Posted by Jack H. Ward on 05 February 2018 03:33 AM

The NTFS filesystem evidence settings are settings that define the parameters of opening filesystem evidence (disks and disk images) with an NTFS filesystem.

To define the default NTFS settings, use Electronic Examiner Evidence options.

The following settings are available:

  • Search deleted files and folders: If selected, this option activates the deleted files and folders search and recovery when opening evidence.
  • Add the Trash folder to the NTFS root: If selected, this option allows the user to add the special Trash folder in which deleted files and folders are placed (available only if the Search deleted files and folders option is selected).
  • Recover folders structure for bad images: If selected, this option allows the user to recover folder structure for damaged disk images.
  • Add the Unallocated Space folder to the NTFS root: If selected, this option allows the user to recover the current contents of the free parts of a disk which may include temporary data parts of deleted data, etc.

There are two ways to define NTFS settings:

  • Immediately after adding the NTFS filesystem evidence you are asked to define its settings.
  • While working with Electronic Evidence Examiner, you can change the NTFS settings of the currently opened evidence. To do this, right-click its Evidence node and select Settings. Change the available settings and click Reload to apply them. Click Yes in the confirmation window.
(0 vote(s))
Helpful
Not helpful

Comments (0)