Question RE:Recover...
 
Notifications
Clear all

Question RE:Recovered folders & overwritten files in Encase6

5 Posts
4 Users
0 Likes
718 Views
(@mbriggs)
Posts: 3
New Member
Topic starter
 

Hello,

In Encase after running the recover folders function I am locating traces of image files that are being reported as overwritten/deleted. I can’t view these files using Encase’s usual undelete function.
My question is whether there is anyway to recover and view these files, and also can these files be bookmarked?

Thank you all,

 
Posted : 13/09/2012 11:46 pm
Chris_Ed
(@chris_ed)
Posts: 314
Reputable Member
 

As I understand it, the "recover folders" feature looks for $MFT records in unallocated. Given the re-use of clusters, frequently you find that the data has been over-written - hence the lack of a viewable image.

So what these "over-written" entries show is not a file, but a record of a file which once existed. I don't think EnCase lets you bookmark them - the best you can do is blue-check them and right-click "export" a list.

 
Posted : 14/09/2012 7:12 pm
(@mbriggs)
Posts: 3
New Member
Topic starter
 

So as far as best practices go. What is the best way to document the existence of these types of files once they are located if EnCase won't let you bookmark them so you can incorporate them into your report?

 
Posted : 14/09/2012 7:43 pm
(@scuzz)
Posts: 29
Eminent Member
 

Would highlighting the record of the file i.e 'PictureOfInterest.jpg' in the Text view, right clicking and bookmarking as text, then incorporate the physical sector, file offset and length in the comments box provide you with a suitable record for court purposes. The details of the bookmarks can then be exported in a rtf from EnCase. This way if another expert were to examine the same job, they would be able to input that data (from your comment box) and see the name of the file(s) in question exactly where you found them.

 
Posted : 16/09/2012 4:45 am
(@larrydaniel)
Posts: 229
Reputable Member
 

Blue check all of the files, right click and Export. This will let you export all the file system data that Encase knows about. (You have to check the properties you want exported.)

Save it as a .csv, open it in Excel for pretty formatting purposes and you can then just put it in your report later.

 
Posted : 17/09/2012 10:21 pm
Share: