File in unallocated...
 
Notifications
Clear all

File in unallocated space appears several times

5 Posts
5 Users
0 Likes
281 Views
(@enafor)
Posts: 1
New Member
Topic starter
 

I'm investigating a case where the name of a file (the same file) appears 7 times in the unallocated space.

The disk has 2 partitions 4.5 GB - NTFS and a 32.4GB - NTFS. In the second partition the name of the file appears

3 times extactly at lines 3081e7f38, 308233518 & 30a132138, and
4 times, at lines 784DCE810 (*), 784DCE868, 785066808(*), 785066860

For the instances marked with (*) the file name is after a folder name, for example "D\folder_name\file_name". For the rest, only the "file_name" appears without any reference to any folder name.

Can you help me to understand the reason of the multiple instances for the same file_name?
Why in 5 instances, only the file_name is shown, without references to a folder before? And including the folder_name in 2 more ?

Thanks so much.

 
Posted : 20/06/2015 4:09 am
(@twjolson)
Posts: 417
Honorable Member
 

Without screenshots, there is really nothing we can do for you besides wildly speculate.

Filenames mean so very little. What you are seeing could be internet records, MFT entries, snippets of a .txt file, log files from P2P applications, registry fragments, and on and on and on.

That said, it really isn't weird or uncommon to find a filename multiple times.

 
Posted : 20/06/2015 5:00 am
(@athulin)
Posts: 1156
Noble Member
 

Can you help me to understand the reason of the multiple instances for the same file_name?

No. There's not enough information.

First, what are you seeing in unallocated space? Directory structures? NTFS is free to rearrange directories as it likes. There's nothing odd about finding several versions of deleted directories that have seen a lot of modification on a disk.

Is some kind of defragmenting software active? Are you seeing directories before they were defragmented? That's another way it could happen.

Or are you seeing something else? Perhaps old virtual disks that have been deleted? They can contain anything, even Linux directory structures. If you never seen those before (Linux directories in a Windows system???), you may be confused. Or, closely related, disk images from old disks.

If the files are produced by some kind of application, it's up to that application to decide what it does with the file and how that happens.

Or … ? Could be something related to the environment of the system. Of which we know absolutely nothing.

You really should be able to start from an strange observation, and formulate a number of hypotheses that might explain it, and perform additional tests on the basis of those.

Why in 5 instances, only the file_name is shown, without references to a folder before? And including the folder_name in 2 more ?

And are the instances comparable? Or are you looking at five instances of deleted directories, and two instances of deleted backup files or file archives?

You have to look beyond the file name. Do the cluster(s) contain additional data that you can identify?

In some cases, it's simpler. If this is a corporate environment, you may, in some cases, be looking at remains of system updates that are pushed from a central server to clients, and typically end up under temporary (but not necessarily random) names on the disk.

 
Posted : 20/06/2015 10:59 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

As a side note, and just for the record, if you are looking at the disk with a hex view disk /editor you do not use "lines" for a position, the concept of "line" does not exist in RAW data (basically because there is no EOL ), when talking of a hex view of the disk you normally use the LBA sector number and the offset in bytes to the beginning of the string (or the absolute offset of either the physicaldrive (disk) or logicaldrive (partition/volume), the latter BTW being probably what you used, a hex number like 0x784DCE868 corresponds to 32,293,841,000, roughly 32 billion, which is unlikely to be a "line number" on a "32.4 Gb" partition, which can contain at the most around 34 billion bytes (or characters).
While most hex/view editors represent data divided in 16 bytes "lines", that is just a common convention, it is arbitrary and the number of bytes represented on each "line" can be set to a different amount in most tools.

jaclaz

 
Posted : 20/06/2015 2:36 pm
(@belkasoft)
Posts: 169
Estimable Member
 

I'm investigating a case where the name of a file (the same file) appears 7 times in the unallocated space.

enafor,

Judging from the size of the two partitions, it seems likely that the device imaged was a solid-state disk (either an SSD, eMMC or similar flash-based media). If this is correct, you might be seeing the work of the storage controller wear leveling and remapping. Could you confirm the type of device that was imaged?

 
Posted : 23/06/2015 5:55 pm
Share: