|
Search for sector
|   |
|
Search for sector
| |
A very useful forensic tool is to determine which file a sector belongs to. In the case of overwritten, or deleted files, a sector may have more than one apparent owner
The value of the absolute location of the sector is entered into the box (in either hex or decimal according to the flag) and when Search is pressed the log is examined to determine which file(s) the sector is part of.
Obviously, a sector should only be used in a single file, but if deleted files have been restored within the log, these will be tested as well. If a deleted file has been overwritten, it should be possible to see which file overwrote it.
The routine will search up to 80 fragments on a file.
As a double check, when a file has been isolated, it is possible to view the fragments of the file by clicking on Frags column within the log.
It must be noted that the log is only valid after a file recovery has been run. However, to save time, and space if recovery is not actually required, the solution is to use the 'Select Files' rather than Recover All. The disk will be scanned and this stage will be complete when the 'Select All' and 'Copy' buttons become enabled. The sector number may then be entered and matching file(s) displayed. If not found, then the sector is in the unallocated area.