Utility to discover...
 
Notifications
Clear all

Utility to discover recently deleted files on Windows 7

8 Posts
6 Users
0 Likes
1,254 Views
(@komatsu)
Posts: 17
Active Member
Topic starter
 

hi does anyone know of a good utility (free or paid) to discover recently deleted files in
Windows?

A user here believes that his spouse may have deleted stuff deliberately on him but he does not know exactly what.

 
Posted : 20/01/2016 5:29 am
RolfGutmann
(@rolfgutmann)
Posts: 1185
Noble Member
 

May just the MBR was destroyed, for rebuild take free minitool partition wizard 9.1, installed go to 'operations' left side bar, there 'Rebuild MBR'. minitool.com also free partition recovery tool.

 
Posted : 20/01/2016 12:03 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Rolf,

May just the MBR was destroyed,

Can you elaborate on what you mean?

 
Posted : 20/01/2016 7:23 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

does anyone know of a good utility (free or paid) to discover recently deleted files in Windows?

Using FTK Imager, get the $MFT from the system and parse through it, looking for deleted files/folders, and checking the entry last modification date (not the one for the file).

Or, add the C\ volume to FTK Imager as a logical volume, and go through the folder tree, looking for files marked with a red "X".

 
Posted : 20/01/2016 7:26 pm
(@questnz)
Posts: 34
Eminent Member
 

Terribly complicated, MBR, FTK ??? Wow !!
Why you just start with Recuva or similar,
Free Undelete

Paid, R-Studio, Recover My Files, Ontrack Easy Recovery Pro etc.

 
Posted : 20/01/2016 11:49 pm
RolfGutmann
(@rolfgutmann)
Posts: 1185
Noble Member
 

#komatsu Sometimes files are not really deleted but just the Master Boot Record (MBR) was deleted or damaged (unintenionally). E.g. during installation of Win 7 you asked to select the partition to install Win 7, there you can Delete, Format the partitions on the drive(s). If you delete and format it there just deletes the MBR. That is worth checking. Progs like undelete do exactly the same, they just turn the vector flags from green back to red (not allowed to write, just read)

 
Posted : 21/01/2016 12:57 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

#komatsu Sometimes files are not really deleted but just the Master Boot Record (MBR) was deleted or damaged (unintenionally). E.g. during installation of Win 7 you asked to select the partition to install Win 7, there you can Delete, Format the partitions on the drive(s). If you delete and format it there just deletes the MBR. That is worth checking. Progs like undelete do exactly the same, they just turn the vector flags from green back to red (not allowed to write, just read)

No.

The effect of deleting one or more partition table entry from the MBR is that the corresponding partition(s) or volume(s) will "disappear" and be not mounted automatically and inaccessible normally.

The OP request is not about deleted volumes, it is about deleted files WITHIN a volume.

The "particular" requirement is seemingly about something capable to distinguish between "recently deleted" files and "other deleted files".

Most tools, like the mentioned ones or (as another example) DMDE will scan the volume for deleted files but normally they don't make a distinction between "recently" deleted and "just" deleted.

jaclaz

 
Posted : 21/01/2016 2:14 pm
joakims
(@joakims)
Posts: 224
Estimable Member
 

You did not specify filesystem, but assuming ntfs as that's most common with Windows 7. You could then possibly get some more insight into the history on your filesystem by analyzing $UsnJrnl and $LogFile.

See
https://github.com/jschicht/UsnJrnl2Csv
https://github.com/jschicht/LogFileParser
https://github.com/jschicht/ExtractUsnJrnl

Also worth trying for recovering older fragments of $UsnJrnl
https://github.com/jschicht/UsnJrnlCarver

 
Posted : 21/01/2016 5:02 pm
Share: