Full log of files and file locations of a data recovery operation
An important part of any disk investigation is to discover what has been done. For a forensic investigation this is extremely important. CnW Recovery therefore keeps a comprehensive log for each recovery job. The details include typical file information, such as name, size and dates, as well as information as to where the file was stored, the location of directories etc. When the forensic log option is enabled, MD5 values are saved are displayed, and the Forensic Report is also enabled.
The items that are displayed, as as below. By clicking on the header of each column, it will be sorted in ascending order. For very large logs, this can be a slow process, so a warning is given before sorting starts. Logs of any length can be sorted.
To display a file from the log, just double click on the line with the required file. For images, if a valid image, the file will be displayed as a picture, for other files, a hex dump fo the first 16MB will be displayed. This function works for the demo as well as the main program.
Any log may be exported and saved as a .csv file, with the first record being column headers
The hex box allows numbers to be displayed as Hex, or Decimal. The exported file will be in the format selected on the screen
The search function will list file(s) where a required sector has been located. If an examination of a raw file dump has found an interesting sector, then this function will indicate which file it is part of. It works on fragmented files, with the limitation that only 64 fragments are actually stored. Thus if the critical sector was in fragment 70, it would be missed from the search. Where files have been deleted, multple files could be shown for the same sector. This can be useful in determining the history of an overwritten file.
The headings on the log are as below
# Number of entry
A sequential number of the entries. If the column is clicked on it will resort the log into the order it was created
This is the size of the file as determined by the directory entry. The size is in bytes. For some Raw Image recovered files, the size is recalculated to be the exact size.
Full File Name
This is the complete file name with the path that the file was recovered to. By sorting on this column, all subdirectories can be viewed in order
This is just the file name section of the file. Although this is always part of the full filename, by having a separate column, it can be sorted to help locate files with a known name.
The signature of the file is based on the first section of the file. This may be a few bytes, or a selection of critical bytes indicating the file type. For many files, the start is unique, and so JPEGs can be detected easily. Other files, in particular many Microsoft Compound Document file format have a common file start. This means that Excel, Word Documents, .MSI files all start with the same signature.
Forensically, the signature can be a very useful indicator of files that may have been renamed in an attempt to hide them. When the signature and Extension do not match they should be investigated (unless they are known to be from the same family). For unrecognized files the signature is set as the first two bytes in hex, eg ‘0x31 45’. This is a useful indication if the file is valid. If the entry is 0x5A 5A then it indicates that the sector has not been read.
The extension is typically the final 3 or 4 characters of the file name after the final ‘.’ Windows uses the extension to indicate the file type. Macintoshs use the resource fork and directory information.
The flags are extracted from the directory and here are displayed with a single letter for each flag
A The archive flag is set - this is the common state
C The file is stored as compressed - NTFS only
D The file was detected as deleted
H The file is hidden
R The file is Read only
r The file has been recovered dynamically - FAT32 only
S The file is a system file
2-x A number will indicate multiple streams associated with Alternate Data Stream (ADS).
This is the start sector of the file. The sector number is the hard disk number, starting at sector 0. It is not the relative sector on the partition. By sorting this column, the order the files are saved on the disk can be seen. This can be useful when a physical area of the disk has been damaged, and so associated files can be seen.
This value is calculated purely on the value of the start sector. It;s interest is partly to show gaps between files, and so has most meaning when the start sector has been sorted.
The frag column shows how many fragments the file is stored in. Most files are stored in a single sequence, and so only have a single fragment. Long files, and those on a full disk become fragmented. If the frag number is double clicked, a display is given for the location of all fragments within the file. The fragment display (in hex or decimal) shows the start of the fragment, the end and also the length. All values are in sectors, using absolute sector numbers on the disk - and not relative numbers to the partition.
This shows if the file filter has caused the file to be skipped. If Y, then the file has not been saved due to a parameter set in the file filter.
Sect Err (sector error)
If this value is set to Yes, then the file that has been recovered contains at least one sector that has not been read correctly. It could be a failed sector on the disk, or if part of an image file, it may be an area that has not been imaged. When the column is sorted, it will also be sorted using start sector values. This will assist is seeing areas of a disk that have failed, or not been imaged.
The verify function is used on a Raw Image recovery. If the value is Yes, then the file has had some verification and is probably valid. The verification will try determine key points of a file end determine if correct. It will typically validate the length, and where possible create a file name. After validation, if the file length has been changed, a new MD5 hash value will be calculated.
CnW software will log 4 dates, based on information found on the disk
The modified date is the time that the file was last changed and saved.
The creation date was the time that the file was created on the current media. There can be cases when the creation date is later than the modified date. This will happen when a file is copied to a new disk drive, but not changed.
Access date - this is the date the file was last accessed. It should be noted that virus scans, and backup routines can change these dates, so they may not indicate user activity.
Attribute date - this is used on NTFS for the MFT entry. If changed, this date is updated
The log time is the time the entry was made in the log. It has no relation to any data and is obviously based on PC clock.