Overwritten fragments and locating files that use selected sectors
When performing a recovery, or forensic investigation, there will be times when a deleted file has been overwritten. It is useful to know when the happened, and by which file.
Tools within the log will assist and often give precise answers to this question, but it must also be noted that once a file has been deleted the operating system can use the sectors and directory entries as it wants, and possibly destroy useful information.
In order to track all sectors, first it is essential to do a full restore of the disk, including deleted files. This will then store important information within the log that can then be examined using a sector search and fragment display.
The two tools included within the log are as below
Fragments display
When the ‘Frags’ column in the log is clicked, a display of fragment starts and run length is displayed. Currently upto 64 fragments can be displayed in this way.
Sector Search
The search button within the log will request a sector number, and then display all files names that contain this sector. Multiple files may exist if the location has been used by one of more files that have since been deleted.
By using the two tools above it is possible to see how a deleted file may have been corrupted. and the dates, times and names of any files that wrote to those sectors.
Recovery of overwritten files
When a sector is overwritten it is exactly that. The previous data is all overwritten and lost. With earlier disk drives, maybe pre year 2000, it was occasionally possible, with government budgets to recover data from some overwritten sectors and this has caused a lot of ‘folk law’ about such recovery. With a modern, very high density drive drive this is now impossible, and any software package that say it is possible is ‘being creative’. The only way to recover an overwritten file is by finding another copy - often called a backup.