±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 1 Overall: 34850
New Yesterday: 8 Visitors: 195

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

Encase 7 Index Buffer Reader script **RECOVERED ENTRY***

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

Encase 7 Index Buffer Reader script **RECOVERED ENTRY***

Post Posted: Mon Dec 03, 2018 2:06 pm

After parsing a $I30 file with Encase Index Buffer Reader script, multiple existing files were found to have corresponding ***RECOVERED ENTRY*** records. Below is an example of one of these files.

Does this imply that these files were once deleted and then recovered somehow? How are the "Recovered Entry" records created by the script?

**RECOVERED ENTRY***
FILE NAME: ZFTE553n.jpg
FILE ID: 432884
PARENT ID: 154315
CREATED: 09/26/15 10:35:03AM
WRITTEN: 09/25/15 01:52:07PM
MODIFIED: 09/26/15 10:35:03AM
ACCESSED: 09/26/15 10:35:03AM
NAME TYPE: Win32
LOGICAL SIZE: 185498
PHYSICAL SIZE: 188416
DOS PERMISSIONS: Archived


FILE NAME: ZFTE553n.jpg
FILE ID: 432884
PARENT ID: 154315
CREATED: 09/26/15 10:35:03AM
WRITTEN: 09/25/15 01:52:07PM
MODIFIED: 09/26/15 10:56:00AM
ACCESSED: 09/26/15 10:35:03AM
NAME TYPE: Win32
LOGICAL SIZE: 185498
PHYSICAL SIZE: 188416
DOS PERMISSIONS: System Archived  

shawnz
Newbie
 
 
  

Re: Encase 7 Index Buffer Reader script **RECOVERED ENTRY***

Post Posted: Mon Dec 03, 2018 3:29 pm

I don't know if this will help your understanding, but may be a good starting point.:

digital-forensics.sans...tten-files  

JerryW
Member
 
 
  

Re: Encase 7 Index Buffer Reader script **RECOVERED ENTRY***

Post Posted: Mon Dec 03, 2018 4:26 pm

Tnx. That link is helpful but not enough details on the script. Hopefully someone can decipher the Encase Index Buffer Reader script and share the logic behind it.  

shawnz
Newbie
 
 
  

Re: Encase 7 Index Buffer Reader script **RECOVERED ENTRY***

Post Posted: Mon Dec 03, 2018 4:34 pm

The $I30 indexes (like all NTFS indexes) are stored in a sorted tree. The tree is frequently re-arranged to make it sort efficiently.

During this re-arrangement entries may be discarded. When this happens, they can still hang around on disk and thus there may be multiple identical (or very similar) entries. This is normal. It doesn't necessarily mean the file/directory no longer exists - rather it is just an indication of what did exist (and may still exist) at the point the index record was last updated.

You can find good explanation this here:

File System Forensic Analysis

Does the index help your case, are the name, date, size etc relevant? If not, they can probably be ignored.

Jim

www.binarymarkup.com  

JimC
Member
 
 
  

Re: Encase 7 Index Buffer Reader script **RECOVERED ENTRY***

Post Posted: Tue Dec 04, 2018 5:37 am

What is the exact name of the script? and do you know where you got the script from?

Regards  

hommy0
Member
 
 

Page 1 of 1