FTK Imager Not seei...
 
Notifications
Clear all

FTK Imager Not seeing deleted files

8 Posts
5 Users
0 Likes
2,581 Views
(@mevans101)
Posts: 4
New Member
Topic starter
 

Good Afternoon,

I have just started using FTK Imager 4.3.1.1.  In testing I deleted files from a thumbdrive then then using FTK Imager, added the thumbdrive as an evidence item, and was able to see the deleted files crossed out with red x's.  I repeated the procedure on a harddrive I removed from a laptop, but was not able to see the deleted files.  Wondering why that is?  Thanks

 
Posted : 30/09/2020 5:51 pm
(@deltron)
Posts: 125
Estimable Member
 

Ok, what type of hard drive is it?

 
Posted : 30/09/2020 8:26 pm
(@mevans101)
Posts: 4
New Member
Topic starter
 

@deltron

Thanks for responding.

 

It's a Seagate Serial ATA DISK DRIVE 

 
Posted : 01/10/2020 2:26 pm
kastajamah
(@kastajamah)
Posts: 109
Estimable Member
 

@deltron Valid question.  Is this person looking at an HDD or an SSD.  Also, can there be other factors like a wiping software being used.

This post was modified 3 years ago by kastajamah
 
Posted : 01/10/2020 3:56 pm
(@mevans101)
Posts: 4
New Member
Topic starter
 

Drive is HDD.  Not aware of the drive ever being wiped.

 
Posted : 01/10/2020 6:32 pm
(@redmercy)
Posts: 2
New Member
 

@mevans101

 

What filesystem was the drive and what file system was the USB?

 
Posted : 05/10/2020 9:14 pm
(@mevans101)
Posts: 4
New Member
Topic starter
 

@redmercy

Both are NTFS.

 
Posted : 07/10/2020 7:22 pm
(@athulin)
Posts: 1156
Noble Member
 
Posted by: @mevans101

In testing I deleted files from a thumbdrive then then using FTK Imager, added the thumbdrive as an evidence item, and was able to see the deleted files crossed out with red x's. 

Well, you should know. You should know what your tool reports are based on.  If you don't, you can't interpret themt safely. So read and reread any relevant user information or support forum post. (You may find that you get pointed at FTK documentation ... if so, you may safely draw the conclusion that using undocumented free stuff is not a good idea, from a forensic point of view, unless you have obtained the necessary training in the use of the tool, or similar information.)

I may guess that FTK Imager bases its red-crosses for deleted files on MFT records that are not currently in use, but retain previous information, and perhaps also on NTFS directory info that remains (though I'm not sure about that).

If that is where the information comes from, then the answers are fairly self-evident: your hard drive does not have any deleted files. Or ... it does not have any deleted file with retained information that can be reported. Or ... something changed in the on-disk format, that the tool you are using does not know about. Or ... perhaps the version of FTK Imager you use is buggy? Or ... 

Why that should be is another question, and needs to take the exact information (or absence of it) that leads to those red-crosses. Are there no deleted files, or have any remaining information of deleted files been cleared?  (Again, you need to know how your tools behaves for that scenario. Are there cleaning tools or traces of them present?) Or ... has some kind of initialization or backup or restore operation rebuilt the volume?

At some point, though, you must always be prepared to say "I don't know." Especially if it is a legal case.  In an education setting, it's different.

If you don't know Brian Carrier's book "File System Forensic Analysis", go get it as soon as you can, and deep-dive into the NTFS chapters.

 
Posted : 08/10/2020 5:37 am
Share: