Hello,

In Encase after running the recover folders function I am locating traces of image files that are being reported as overwritten/deleted. I can’t view these files using Encase’s usual undelete function.
My question is whether there is anyway to recover and view these files, and also can these files be bookmarked?

Thank you all,  

As I understand it, the "recover folders" feature looks for $MFT records in unallocated. Given the re-use of clusters, frequently you find that the data has been over-written - hence the lack of a viewable image.

So what these "over-written" entries show is not a file, but a record of a file which once existed. I don't think EnCase lets you bookmark them - the best you can do is blue-check them and right-click "export" a list.  

So as far as best practices go. What is the best way to document the existence of these types of files once they are located if EnCase won't let you bookmark them so you can incorporate them into your report?  

Would highlighting the record of the file i.e 'PictureOfInterest.jpg' in the Text view, right clicking and bookmarking as text, then incorporate the physical sector, file offset and length in the comments box provide you with a suitable record for court purposes. The details of the bookmarks can then be exported in a rtf from EnCase. This way if another expert were to examine the same job, they would be able to input that data (from your comment box) and see the name of the file(s) in question exactly where you found them.  

Blue check all of the files, right click and Export. This will let you export all the file system data that Encase knows about. (You have to check the properties you want exported.)

Save it as a .csv, open it in Excel for pretty formatting purposes and you can then just put it in your report later.
_________________
Larry E. Daniel DFCP, EnCE, BCE, ACE
Guardian Digital Forensics - Firm
Ex Forensis - Blog
Encase 101 - Blog
Digital Forensics for Legal Professionals - Book