FTK Imager Not seeing deleted files
I have just started using FTK Imager 220.127.116.11. In testing I deleted files from a thumbdrive then then using FTK Imager, added the thumbdrive as an evidence item, and was able to see the deleted files crossed out with red x's. I repeated the procedure on a harddrive I removed from a laptop, but was not able to see the deleted files. Wondering why that is? Thanks
Ok, what type of hard drive is it?
Drive is HDD. Not aware of the drive ever being wiped.
In testing I deleted files from a thumbdrive then then using FTK Imager, added the thumbdrive as an evidence item, and was able to see the deleted files crossed out with red x's.
Well, you should know. You should know what your tool reports are based on. If you don't, you can't interpret themt safely. So read and reread any relevant user information or support forum post. (You may find that you get pointed at FTK documentation ... if so, you may safely draw the conclusion that using undocumented free stuff is not a good idea, from a forensic point of view, unless you have obtained the necessary training in the use of the tool, or similar information.)
I may guess that FTK Imager bases its red-crosses for deleted files on MFT records that are not currently in use, but retain previous information, and perhaps also on NTFS directory info that remains (though I'm not sure about that).
If that is where the information comes from, then the answers are fairly self-evident: your hard drive does not have any deleted files. Or ... it does not have any deleted file with retained information that can be reported. Or ... something changed in the on-disk format, that the tool you are using does not know about. Or ... perhaps the version of FTK Imager you use is buggy? Or ...
Why that should be is another question, and needs to take the exact information (or absence of it) that leads to those red-crosses. Are there no deleted files, or have any remaining information of deleted files been cleared? (Again, you need to know how your tools behaves for that scenario. Are there cleaning tools or traces of them present?) Or ... has some kind of initialization or backup or restore operation rebuilt the volume?
At some point, though, you must always be prepared to say "I don't know." Especially if it is a legal case. In an education setting, it's different.
If you don't know Brian Carrier's book "File System Forensic Analysis", go get it as soon as you can, and deep-dive into the NTFS chapters.