Logs

Full log of files and file locations of a data recovery operation

An important part of any disk investigation is to discover what has been done. For a forensic investigation this is extremely important. CnW Recovery therefore keeps a comprehensive log for each recovery job. The details include typical file information, such as name, size and dates, as well as information as to where the file was stored, the location of directories etc. When the forensic log option is enabled, MD5 values are saved are displayed, and the Forensic Report is also enabled.

The items that are displayed, as as below. By clicking on the header of each column, it will be sorted in ascending order.

log_files02

File displaying

    To display a file from the log, just double click on the line with the required file. For images, if a valid image, the file will be displayed as a picture, for other files, a hex dump fo the first 16MB will be displayed. This function works for the demo as well as the main program.

Export

    Any log may be exported and saved as a .csv file, with the first record being column headers

Hex

    The hex box allows numbers to be displayed as Hex, or Decimal. The exported file will be in the format selected on the screen

Search

    The search function will list file(s) where a required sector has been located. If an examination of a raw file dump has found an interesting sector, then this function will indicate which file it is part of. It works on fragmented files, with the limitation that only 64 fragments are actually stored. Thus if the critical sector was in fragment 70, it would be missed from the search. Where files have been deleted, multple files could be shown for the same sector. This can be useful in determining the history of an overwritten file.

The headings on the log are as below

# Number of entry

    A sequential number of the entries. If the column is clicked on it will resort the log into the order it was created

Status

    This is the status of each transfer and can be one of the following

  • OK - File was read OK
  • MFT - entry was found on an MFT scan
  • Scan - file was found on a directory scan
  • Del - the file was detected as a deleted file
  • DeDup - The deduplication routine has deleted this file from the hard drive
  • Directory - the entry is for a subdirectory being found
  • IC - The file recovered was incomplete, typically a FAT disk where the FAT is truncated
  • Over - the file has been detected, but some or all of it may have been overwritten
  • Recv’d - The file has been recovered from unallocated space
  • Skipped - the file was skipped due to the file filter
  • Status - just a status message
  • Stub Rest - file recovered from a file stub
  • Error - and error message

File size

    This is the size of the file as determined by the directory entry. The size is in bytes. For some Raw Image recovered files, the size is recalculated to be the exact size.

Full File Name

    This is the complete file name with the path that the file was recovered to. By sorting on this column, all subdirectories can be viewed in order

File name

    This is just the file name section of the file. Although this is always part of the full filename, by having a separate column, it can be sorted to help locate files with a known name.

Signature

    The signature of the file is based on the first section of the file. This may be a few bytes, or a selection of critical bytes indicating the file type. For many files, the start is unique, and so JPEGs can be detected easily. Other files, in particular many Microsoft Compound Document file format have a common file start. This means that Excel, Word Documents, .MSI files all start with the same signature.

    Forensically, the signature can be a very useful indicator of files that may have been renamed in an attempt to hide them. When the signature and Extension do not match they should be investigated (unless they are known to be from the same family)

Extension

    The extension is typically the final 3 or 4 characters of the file name after the final ‘.’ Windows uses the extension to indicate the file type. Macintoshs use the resource fork and directory information.

Flags

    The flags are extracted from the directory and here are displayed with a single letter for each flag

      A The archive flag is set - this is the common state

      C The file is stored as compressed - NTFS only

      D The file was detected as deleted

      H The file is hidden

      R The file is Read only

      r The file has been recovered dynamically - FAT32 only

      S The file is a system file

Start Sector

    This is the start sector of the file. The sector number is the hard disk number, starting at sector 0. It is not the relative sector on the partition. By sorting this column, the order the files are saved on the disk can be seen. This can be useful when a physical area of the disk has been damaged, and so associated files can be seen.

Incremental Sector

    This value is calculated purely on the value of the start sector. It;s interest is partly to show gaps between files, and so has most meaning when the start sector has been sorted.

Frags

The frag column shows how many fragments the file is stored in. Most files are stored in a single sequence, and so only have a single fragment. Long files, and those on a full disk become fragmented. If the frag number is double clicked, a display is given for the location of all fragments within the file. The fragment display (in hex or decimal) shows the start of the fragment, the end and also the length. All values are in sectors, using absolute sector numbers on the disk - and not relative numbers to the partition.

Filter

    This shows if the file filter has caused the file to be skipped. If Y, then the file has not been saved due to a parameter set in the file filter.

Verify

    The verify function is used on a Raw Image recovery. If the value is Yes, then the file has had some verification and is probably valid. The verification will try determine key points of a file end determine if correct. It will typically validate the length, and where possible create a file name. After validation, if the file length has been changed, a new MD5 hash value will be calculated.

Dates

    CnW software will log 4 dates, based on information found on the disk

      • Modified
      • Created
      • Accessed
      • Attribute

    The modified date is the time that the file was last changed and saved.

    The creation date was the time that the file was created on the current media. There can be cases when the creation date is later than the modified date. This will happen when a file is copied to a new disk drive, but not changed.

    Access date - this is the date the file was last accessed. It should be noted that virus scans, and backup routines can change these dates, so they may not indicate user activity.

    Attribute date - this is used on NTFS for the MFT entry. If changed, this date is updated

Log time

    The log time is the time the entry was made in the log. It has no relation to any data and is obviously based on PC clock.

     
[CnW Recovery] [Downloads] [User Manual] [Installation] [Wizard] [Main menu] [Partitions] [Logical Formats] [Logs] [Hard drive recovery] [Camera Memory] [NTFS data recovery] [FAT data recovery] [CD ROM data recovery] [Raw recovery] [Damaged disks] [Fragmented Files] [CD and DVD output] [File Filter] [Photo Recovery] [Deleted Photos] [Camcorder Disk] [File validation] [Deleted file recovery] [Macintosh] [Deduplication] [One Step] [JPEG Frags] [Camera failure] [FAT32] [Slow recovery] [Unix Recovery] [MTF .BKF] [What will it do?] [Product Details] [Purchase Now] [Forensic Tools] [FAQ] [Case Studies] [Technical Notes] [Updates] [Development] [Site Map] [About us] [Contact Us]