FTK Imager Not seei...
 
Notifications
Clear all

FTK Imager Not seeing deleted files  

  RSS
mevans101
(@mevans101)
New Member

Good Afternoon,

I have just started using FTK Imager 4.3.1.1.  In testing I deleted files from a thumbdrive then then using FTK Imager, added the thumbdrive as an evidence item, and was able to see the deleted files crossed out with red x's.  I repeated the procedure on a harddrive I removed from a laptop, but was not able to see the deleted files.  Wondering why that is?  Thanks

Quote
Posted : 30/09/2020 6:51 pm
Deltron
(@deltron)
Active Member

Ok, what type of hard drive is it?

ReplyQuote
Posted : 30/09/2020 9:26 pm
mevans101
(@mevans101)
New Member

@deltron

Thanks for responding.

 

It's a Seagate Serial ATA DISK DRIVE 

ReplyQuote
Posted : 01/10/2020 3:26 pm
kastajamah
(@kastajamah)
Member

@deltron Valid question.  Is this person looking at an HDD or an SSD.  Also, can there be other factors like a wiping software being used.

This post was modified 2 months ago by kastajamah
ReplyQuote
Posted : 01/10/2020 4:56 pm
mevans101
(@mevans101)
New Member

Drive is HDD.  Not aware of the drive ever being wiped.

ReplyQuote
Posted : 01/10/2020 7:32 pm
Redmercy
(@redmercy)
New Member

@mevans101

 

What filesystem was the drive and what file system was the USB?

ReplyQuote
Posted : 05/10/2020 10:14 pm
mevans101
(@mevans101)
New Member

@redmercy

Both are NTFS.

ReplyQuote
Posted : 07/10/2020 8:22 pm
athulin
(@athulin)
Community Legend
Posted by: @mevans101

In testing I deleted files from a thumbdrive then then using FTK Imager, added the thumbdrive as an evidence item, and was able to see the deleted files crossed out with red x's. 

Well, you should know. You should know what your tool reports are based on.  If you don't, you can't interpret themt safely. So read and reread any relevant user information or support forum post. (You may find that you get pointed at FTK documentation ... if so, you may safely draw the conclusion that using undocumented free stuff is not a good idea, from a forensic point of view, unless you have obtained the necessary training in the use of the tool, or similar information.)

I may guess that FTK Imager bases its red-crosses for deleted files on MFT records that are not currently in use, but retain previous information, and perhaps also on NTFS directory info that remains (though I'm not sure about that).

If that is where the information comes from, then the answers are fairly self-evident: your hard drive does not have any deleted files. Or ... it does not have any deleted file with retained information that can be reported. Or ... something changed in the on-disk format, that the tool you are using does not know about. Or ... perhaps the version of FTK Imager you use is buggy? Or ... 

Why that should be is another question, and needs to take the exact information (or absence of it) that leads to those red-crosses. Are there no deleted files, or have any remaining information of deleted files been cleared?  (Again, you need to know how your tools behaves for that scenario. Are there cleaning tools or traces of them present?) Or ... has some kind of initialization or backup or restore operation rebuilt the volume?

At some point, though, you must always be prepared to say "I don't know." Especially if it is a legal case.  In an education setting, it's different.

If you don't know Brian Carrier's book "File System Forensic Analysis", go get it as soon as you can, and deep-dive into the NTFS chapters.

This post was modified 2 months ago by athulin
ReplyQuote
Posted : 08/10/2020 6:37 am
Share: