Software to get a report(.csv) of deleted files on a system
Hello community, I am looking for a way I can simply run a scan of an entire image or say a users home directory of deleted files and output that to a .csv. The use case is the customer wants to see a list of deleted files between a certain date of the users/home directory. I use Autopsy, Belkasoft, FTK, MiniTool Power Data recovery. I dont see where any of them can run a report of deleted files and output that to a .csv. Seems basic so I am sure I am missing something...but I cannot seem to find it.
Ideal would be able to run two specific reports.
1) All deleted files for the entire image on a specific date.
2) All deleted files for the users/home directory on a broader date range.
So far, I can see where I can simply recover the files, but not seeing an option just to run this type of report.
The MiniTool folks already said this is not possible.
I can output to a .csv in Autopsy, but I don't get to set a filter for Just deleted and Just a specific date.
Same with Belkasoft as far as I can tell.
I am assuming you are using a Windows NTFS file system.
If you are carving deleted files based on header and footer signatures, then there will be no dates and no file path information. So your request is impossible.
However if you are just looking at deleted records in the MFT, then you can usually get the path & access date. OSForensics can export a list to CSV in this case.
Once exported to CSV, then you can just use Excel to sort and filter.
I do use "Recover My Files v3.95" for this. This version can export a list to CSV file. I know, I know, its an old version, but this is the one I have licenced. You can even select the path from which you want to recover. However I am not sure if the demo version can export to CSV, but if you can find it its worth to try. Maybe the recent version does it aswell...
Including "date modified, date created and date accessed"
I would use sleuthkit, in my opinion it is the most effective tool for a task like this. And it is free.
Sleuthkit runs on Windows as well, if that is what rocks your boat, but if you are serious about digital forensics I recommend you start learning Linux.
Take any Debian based Linux distribution and install sleuthkit:
# sudo apt-get install sleuthkit
Use the fls utility from the sleuthkit package to obtain your desired output:
fls -o 2048 -l -d -r -p image.E01 > output.csv
-o -offset in sectors where the partition starts
-l -display the long version (mac times, size)
-d -display only deleted entries
-r -recurse into subdirectories
-p -display full path for each file
After a while you should have your .csv ready with info from MFT on all the deleted entries. Then just use your spreadsheet skills and perform the necessary filtration on dates, paths, whatever.