Forensic Report
 		Previous Topic  Next Topic 

Home


The forensic report is part of the Forensic Options, controlled by the program licence.


The function of the report is to be the basis of any log or report listing actions and tests on the drive.  It will report any disk errors, and other errors the standard logical recovery have not been possible.  The best example would be when it has not been possible to resolve a full directory path, and a dummy directory entry has been created.


The report is part of the main log screen, and selected by the tab at the top of the box.





Log entries, from program Wizard


The wizard performs tests on the physical media, and the following status messsges, or errors will be detected. The results from the Verify Disk structure are stored in the log



Recover options


The log will monitor all options that have selected as part the appropiate recovery screen.


NTFS - these will include

Cluster size

$MFT start cluster and start sector

MFT count

Relative sector



FAT - these will include

Cluster size

Cluster 2 location

FAT start

Directory start



NTFS messages


The forensic report will do basic analysis on system files.  This will include $bitmap and $logfile


Fixup error in MFT - and MFT has self checking built in, an error was found

Cluster out of range - a cluster higher the length of the partition was requested

MFT entry not found at expected location - the specified locatioon is not an MFT

MFT entry not found at cluster 4 - when an MFT is not set by BIOS, some values are tested

MFT entry not found at cluster 0xc0000- when an MFT is not set by BIOS, some values are tested

Cluster 0xc0000 has been set as start of MFT - a 'guessed' value has been used

Cluster 4 has been set as start of MFT - a 'guessed' value has been used

MFT for xxx not a directory MFT - a parent directory location is invalid



FAT messages


FAT parent directory not fund for cluster : xxx  - the parent directory was not found, dummy directory will be created.  This is the directory that is pointed to by the '..' entry in the directory stub.


File truncated, found xxx  expected  yyy - the full file has been truncated, often due to a FAT entry indicating end of file.


Next cluster same as current cluster, incrementing value - this will cause the program to loop on single cluster, so the next sector will be selected automatically.