Server 2003 NTFS Vo...
 
Notifications
Clear all

Server 2003 NTFS Volume Conversion

4 Posts
3 Users
0 Likes
465 Views
kiashi
(@kiashi)
Posts: 99
Trusted Member
Topic starter
 

Ok, I'm going to try and explain the situation….

I have an image of two hard drives from the same computer, one is the system drive which has Windows Server 2003 installed on it. The second hard drive seems as though it may have been previously used in another system that was running a different version of Windows. The clue for this is that the MFT records on the volume I am looking at have a mixture of 'FILE*' and 'FILE0' headers. On reading the following Technet article I learned that when a volume with an earlier NTFS version is installed in a Server 2003 machine it just gives new files the newer MFT record headers and leaves the old ones as they are
http//technet.microsoft.com/en-us/library/cc781134(WS.10).aspx

So with that as the background, my question relates to a large number of files with different types/extensions that are deleted/overwritten but still have visible MFT entries. All of these files have been renamed within their MFT entries to have a filename of 'De[num].[ext]'.

Has anyone come across this situation before? Can I assume that Server 2003 has for what ever reason parsed all the files marked as deleted within the MFT and given them this generic name? Or is this some quirk of a previous NTFS version that I am unaware of? ?

Any insight would be greatly appreciated.

 
Posted : 12/05/2010 2:34 pm
(@brede)
Posts: 64
Trusted Member
 

files were "deleted"- moved to the system Trash directory. In that situation all "deleted" files are renamed to D-deletec, e- volumen e, number- number of deleted file / check system INFO2 file for deletion time and name/ folder, ext- remains the same.

 
Posted : 12/05/2010 2:39 pm
kiashi
(@kiashi)
Posts: 99
Trusted Member
Topic starter
 

brede, thanks for your quick reply.

Part of me did already know that….I think this case is just clouding my brain at the moment with it's size!

Ok I have located the INFO2 record and it seems to have been emptied. There is some content left in slack space but it doesn't look like I'll get back the original names of my files. I am guessing this is something EnCase has already tried and was unable to do which is where some of my confusion obviously appeared.

Been a long week already and it's only Wednesday morning!

 
Posted : 12/05/2010 3:23 pm
(@dc1743)
Posts: 48
Eminent Member
 

Don't forget that within the Case Processor enscript there is a Recycle Bin Info Record Finder module which can recover INFO2 records from unallocated.

Regards

 
Posted : 12/05/2010 5:29 pm
Share: