A log of all actions taken
The forensic report is a feature that is part of the Forensic log option. It is designed to track all actions taken with the disk, explanation of errors, and also verification tests taken.
The log starts with results with from the wizard initial validation of the drive. This may indicate physical errors, or logical errors on the disk. Details of each type of disk are logged, and where possible analysed.
NTFS forensic details
When a NTFS disk is read the following parameters are logged
● Recover mode
● Cluster size
● Starting MFT cluster
● Start MFT sector number
● Length of MFT - in clusters
● Relative sector - ie starting sector of the partition
● $logfile header found
● $logfile header verified
● $logfile analysis - development in progress
● $bitmap - cluster count
● $bitmap - max cluster count
For a FAT disk, the following parameters are logged
● Recover mode
● Cluster size
● Start of FAT
● Cluster 2 location
● Start of directory
Once copying and recovery of files is started any action that may affect the data, or file being recovered is logged. The most common ones are where a directory path cannot be resolved, or when a FAT32 disk has had to search for a deleted file, based on file signature.
The export button will export the file as a .CSV file, along with normal file listing