I'm curious about a couple of the responses that have appeared in this discussion…
In my response post on Thu Sep 08, 2005 1045 am, markfu14 (the OP) said "…there isn't a FAT or MFT table entry pointing to the file, and the filenames and MAC times are indeed gone. There is no metadata associated with the graphics that FTK could recover, so it is really just an assumption that they were downloaded via the web."
So, therefore, with no FAT/MFT entry, these are simply graphics files that are occupying sectors on the hard drive that are waiting to be assigned.
andy1550mac…you said, "If you found the images in "free space" I would try and locate an INFO2 file. This may tell you the full path that the image was deleted from as well as time."
Could you elaborate on how this would work, given that the INFO2 file contains filenames, not sectors. If there are no filenames associated with the images that markfu14 found, how would examining the INFO2 file be of use?
I would think that Greg Marshall's technique would be more revealing, but I'm curious to learn more about what you're referring to.
Thanks,
H. Carvey
"Windows Forensics and Incident Recovery"
http//
http//windowsir.blogspot.com
Harlan,
I was under the assumption that mark wanted to try and associate a user to an image.
Granted the images he has recovered do not have any file names attached if parsing an info2 file, using for example the CLI application rifiuti he may find that a particular user deleted ten jpegs… on for example August 10th.
So hypothetically he might see that on the above date the pictures were deleted from C\documents and settings\Benny hill\my documents\pics\
I was implying that it could provide some information and or corroborate other findings…
Basically checking another venue can't hurt.
I'm not 100% sure but I think Rifiuti also provides the deleted filesize..
Andrew-
Andrew,
First, let me say that because of the work I do, I'm very interested in exploring the process/methodology that you've mentioned. I'm not trying to take you to task, or be a j**k about this, so please excuse me if I don't immediately understand and continue asking questions.
I was under the assumption that mark wanted to try and associate a user to an image.
I'm under the same assumption.
Granted the images he has recovered do not have any file names attached if parsing an info2 file, using for example the CLI application rifiuti he may find that a particular user deleted ten jpegs… on for example August 10th.
So hypothetically he might see that on the above date the pictures were deleted from C\documents and settings\Benny hill\my documents\pics\
Okay, this is where I'm really missing something. Markfu14 stated that there's no metadata associated with the images found in free space…no FAT/MFT entry, etc…therefore, no filename.
Since the INFO2 file lists files by filename, how would he be able to then track the file back to a specific user?
Files in the Recyle Bin aren't really deleted…they're just in a temporary directory of sorts. They still occupy sectors on the disk, and aren't technically in "free space". However, using the CLI command "del" does "delete" the files (without moving them into the Recycle Bin), essentially freeing the sectors for use.
I'm completely on board with you regarding exploring other avenues and leaving "no stone unturned"…no pun intended. And I am familiar with the use of the FoundStone tool you've mentioned. However, I seem to be missing some small piece of information that would link all of this together. How can I track file names from the Recycle Bin if the files that markfu14 located don't have any file names associated with them?
Thanks,
H. Carvey
"Windows Forensics and Incident Recovery"
windowsir.blogspot.com
Hey Harlan,
I don’t think you are missing something and I wouldn’t worry about taking me to task as I’m pretty green therefore welcome any feedback, especially if I’m off the mark.
Mark wouldn’t be able to link the files back to a particular user unequivocally…without the original filenames he couldn’t. I was thinking that as there are so many users it must be a corporate environment. If info2 files were found and all contained “regular†deletions (.doc, .xls) and one contained an extraordinary amount of deleted .jpegs he could perhaps approach the user with this info (without being specific as to what was found) and get an admission of guilt…. Perhaps. Assuming again that the path contained the username.
Lots of assumptions… eh?
Andrew-
Andy,
Thanks for the clarification.
H. Carvey
"Windows Forensics and Incident Recovery"
http//
http//windowsir.blogspot.com