±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 2 Overall: 36006
New Yesterday: 0 Visitors: 128

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Server 2003 NTFS Volume Conversion

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

kiashi
Senior Member
 

Server 2003 NTFS Volume Conversion

Post Posted: May 12, 10 14:34

Ok, I'm going to try and explain the situation....

I have an image of two hard drives from the same computer, one is the system drive which has Windows Server 2003 installed on it. The second hard drive seems as though it may have been previously used in another system that was running a different version of Windows. The clue for this is that the MFT records on the volume I am looking at have a mixture of 'FILE*' and 'FILE0' headers. On reading the following Technet article I learned that when a volume with an earlier NTFS version is installed in a Server 2003 machine it just gives new files the newer MFT record headers and leaves the old ones as they are:
technet.microsoft.com/...S.10).aspx

So with that as the background, my question relates to a large number of files with different types/extensions that are deleted/overwritten but still have visible MFT entries. All of these files have been renamed within their MFT entries to have a filename of 'De[num].[ext]'.

Has anyone come across this situation before? Can I assume that Server 2003 has for what ever reason parsed all the files marked as deleted within the MFT and given them this generic name? Or is this some quirk of a previous NTFS version that I am unaware of? Confused

Any insight would be greatly appreciated.
_________________
_________________________________________
The only people who find what they are looking for
in life are the fault finders. 
 
  

brede
Senior Member
 

Re: Server 2003 NTFS Volume Conversion

Post Posted: May 12, 10 14:39

files were "deleted"- moved to the system Trash directory. In that situation all "deleted" files are renamed to: D-deletec, e- volumen e:, number- number of deleted file / check system INFO2 file for deletion time and name/ folder, ext- remains the same.  
 
  

kiashi
Senior Member
 

Re: Server 2003 NTFS Volume Conversion

Post Posted: May 12, 10 15:23

brede, thanks for your quick reply.

Part of me did already know that....I think this case is just clouding my brain at the moment with it's size!

Ok I have located the INFO2 record and it seems to have been emptied. There is some content left in slack space but it doesn't look like I'll get back the original names of my files. I am guessing this is something EnCase has already tried and was unable to do which is where some of my confusion obviously appeared.

Been a long week already and it's only Wednesday morning!
_________________
_________________________________________
The only people who find what they are looking for
in life are the fault finders. 
 
  

dc1743
Senior Member
 

Re: Server 2003 NTFS Volume Conversion

Post Posted: May 12, 10 17:29

Don't forget that within the Case Processor enscript there is a Recycle Bin Info Record Finder module which can recover INFO2 records from unallocated.

Regards  
 

Page 1 of 1