Clicky

Can anyone tell me in realy laymans terms what encases deleted files actually represent. Those with the red warning circle round. Where is it pulling these from, and how do they differ from files in unallocated space? Are these files from unallocated space - or something else? Its almost like they are "semi deleted" and files that are in "unallocated" are "fully deleted". Can you let me know as its of interest to me. How does a file come to be viewable via encases "deleted icon" in the table view, and how does a file come to be totally unseen until you carve it from unallocated space?

asked 12/13/2011 11:23

pma111's gravatar image

pma111 ♦♦


4 Answers:
I was perhaps thinking along the lines files that are in unallocated were deleted a long time ago, yet fiels encase can still see and lists in the table view as deleted or deleted/overwritten are recently deleted files? Any truth in this?
link

answered

pma111's gravatar image

pma111

If you look at the record for the file within the Master File table, at offset 0x22, for a length of two bytes, there is a flag which tells you whether it is deleted.
hex 00 00 is deleted
hex 01 00 is allocated
There is also a $bitmap file which indicates to the system which clusters are in use.
When EnCase can see that a file is deleted and that the clusters are not in use, you'll see the deleted symbol. It will also add to the description that the file is overwritten when some or all of the clusters are marked as being in use.
Whether old or new files are overwritten depends on drive activity, since the master file table can grow, but never shrinks. If someone deleted 10,000 files and only adds a few hundred in the next month, then the other deleted entries may be recoverable for a long time. On the other hand, if very few files are deleted, then the master file tables can be overwritten quickly, in which case they aren't available for recovery.
Check out this excellent video for a visual explanation using EnCase:
http://whereismydata.wordpress.com/2009/05/02/forensics-what-happens-when-files-are-deleted/
link

answered 2011-12-14 at 07:24:56

SirtenKen's gravatar image

SirtenKen

ken, excuse my ignorance but is there a typo:

Whether old or new files are overwritten depends on drive activity, since the master file table can grow, but never shrinks. If someone deleted 10,000 files and only adds a few hundred in the next month, then the other deleted entries may be recoverable for a long time. On the other hand, if very few files are deleted, then the master file tables can be overwritten quickly, in which case they aren't available for recovery.

So the more files deleted in a period - the more chance of recovery.
The less files deleted in a period - the less chance of recovery.

Is that correct?

Logically Id have thought it would be the other way round but your the expert.
link

answered 2011-12-14 at 09:14:27

pma111's gravatar image

pma111

NTFS is designed to re-use the directory entries that are available rather than creating new entries. When it does this, there is a marker in the entry which tells how many times the entry has been used. The rest of the entry will be overwritten and in most cases unrecoverable. If you delete a few files, the now-available entries will quickly be reused. If you delete many files, then some but not all will be re-used. The ones that aren't re-used are the most recoverable. Having more deleted files will lead to a better chance of recovering files, in general. This should make sense statistically as well, if you are just trying to recover deleted files, the more you delete, the better chance you'll be able to recover at least one of them.
Did you have a chance to check out the video? Was it helpful?
link

answered 2011-12-15 at 10:34:09

SirtenKen's gravatar image

SirtenKen

Your answer
[hide preview]

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Tags:

Asked: 12/13/2011 11:23

Seen: 81301 times

Last updated: 12/17/2011 09:00