Overwritten fragments and locating files that use selected sectors

When performing a recovery, or forensic investigation, there will be times when a deleted file has been overwritten. It is useful to know when the happened, and by which file.

Tools within the log will assist and often give precise answers to this question, but it must also be noted that once a file has been deleted the operating system can use the sectors and directory entries as it wants, and possibly destroy useful information.

In order to track all sectors, first it is essential to do a full restore of the disk, including deleted files. This will then store important information within the log that can then be examined using a sector search and fragment display.

The two tools included within the log are as below

Fragments display

When the ‘Frags’ column in the log is clicked, a display of fragment starts and run length is displayed. Currently upto 64 fragments can be displayed in this way.

Sector Search

The search button within the log will request a sector number, and then display all files names that contain this sector. Multiple files may exist if the location has been used by one of more files that have since been deleted.

By using the two tools above it is possible to see how a deleted file may have been corrupted. and the dates, times and names of any files that wrote to those sectors.