It happens that you could hear or read about files recovery procedures, file timeline and the recovering of the timestamps from hard disks, usb sticks and SD flash card attached to a PC rather than to a tablet or inside a mobile phone.
And many are the software packages developed that promise to give answer to these questions.
But what is it the truth ?
All these informations are strictly related with the filesystem.
Are the results obtained reliable?
Or better .... are they so reliable to go back to the time of a murder, for example?
That is: can be they have a legal validity for the court?
For FAT filesystem there is an Official Microsoft Paper, Microsoft Extensible Firmware Initiative, FAT32 File System Specification, that gives the formulas to apply to the reverse engineering operations devoted to recovery metadata.
But what about NTFS filesystem ?
"NTFS is proprietary. I don't think a full set of official and definitive documentation for the theory of operations and on-disk structures exist, outside of licensed and non-disclosable Microsoft documents, which are not available to regular end-users
.......
There is an enormous amount of information about NTFS available from the various projects
.......
Since that information was usually gathered from black-box analysis, its correctness is doubtful."
https://forums.freebsd.org/threads/ntfs-hfsplus-architecture-documents.65635/#post-385888
And many are the software packages developed that promise to give answer to these questions.
But what is it the truth ?
All these informations are strictly related with the filesystem.
Are the results obtained reliable?
Or better .... are they so reliable to go back to the time of a murder, for example?
That is: can be they have a legal validity for the court?
For FAT filesystem there is an Official Microsoft Paper, Microsoft Extensible Firmware Initiative, FAT32 File System Specification, that gives the formulas to apply to the reverse engineering operations devoted to recovery metadata.
But what about NTFS filesystem ?
"NTFS is proprietary. I don't think a full set of official and definitive documentation for the theory of operations and on-disk structures exist, outside of licensed and non-disclosable Microsoft documents, which are not available to regular end-users
.......
There is an enormous amount of information about NTFS available from the various projects
.......
Since that information was usually gathered from black-box analysis, its correctness is doubtful."
https://forums.freebsd.org/threads/ntfs-hfsplus-architecture-documents.65635/#post-385888