Discover deleted files
 		Previous Topic  Next Topic 

Home



With many forensic investigations, a very important aspect is to discover files that have been deliberately deleted. Fortunately, deletions through the operating system typically just mark the file deleted, and make the space taken by the file available for new files.


The investigator then has several tools to discover the files, recover the files, and at times, can even work out when the files were deleted.


Stage 1

The first tool to use is a standard recovery routine, but selecting the 'Recover' deleted files that appears in the recovery menu. If there have not been many operations on the disk, since the files were deleted, this will recover the deleted files, almost certainly correctly.  As more file movements on the disk have taken place, the chance of a file being overwritten increases.  It should be noted that for FAT32 files, deletion often removes the original location on the disk, but CnW software has functions to assist with this.


Stage 2

When directories are deleted, the directory is marked as a deleted file, but there is always a danger that this entry will be reused, and so a logical parsing of the directory could miss a complete directory branch.  To overcome this, it is best to try multiple approaches to reading the disk.  For NTFS, use the option Recover from file entries which will scan for all possible files and directories.  When a parent directory is not found because the directory has been deleted, a dummy directory name will be created.  For FAT disks, the option Recover from directory stubs should be used.  This will scan the disk for all subdirectory entries.  One limitation is that if the subdirectory has been deleted, there is no way to tell how long the directory is, and so at times fragments of the directory may be omitted.


Stage 3

Some files, when deleted will in effect escape from the file system.  For these it will be necessary to use the recover Unallocated Space option. This is used once the disk has been read, and then all the clusters that have not been access will be analysed for possible files. Being raw recovery, there are very few checks on the files, apart from fairly comprehensive file signature checking, and sometimes logical verification of the files.



Analysis


Once files have been recovered it is often worth investigating when they were deleted.  For FAT disks, no such information is stored, but for NTFS disks there are dates stored which will indicate when a file was last changed which is stored in the Attribute time.


Another useful piece of investigation to work out on an NTFS disk what file overwrote a directory entry.  If the NTFS recover routine cannot recreate a complete directory path, then it will create a lost_dir_xxx entry where xxx is the number of the expected MFT.  By looking through the log for the MFT with the value xxx, one can see what has been written, and when, to delete the directory.