Hi
Autopsy recovered two images with a red cross icons from formatted USB with the name image1 and f0000000.jpg both images are the same!
My question is what mean “f0000000.jpg” is and why autopsy recovered two times however I put one image (image1) in USB ?
Hi
Autopsy recovered two images with a red cross icons from formatted USB with the name image1 and f0000000.jpg both images are the same!
My question is what mean “f0000000.jpg” is and why autopsy recovered two times however I put one image (image1) in USB ?
Tony75, please consider that we are not (a least I am not) clairvoyants.
If you want good, valid answers, you must learn to write questions properly.
DESCRIBE what you did (EXACTLY).
If possible explain the INTENDED SCOPE of the experiment.
Explain (in DETAIL) why what you obtained is different from what you expected.
It seems like you:
1) *somehow* formatted (HOW?, Under which OS, with which tool, using what parameters, with which filesystem, etc., etc.) a UB stick (which USB stick, which size, is it partitioned, etc.?)
2) copied an image to the stick (how, which image, with which filename, which size is it, etc.)
3) *somehow* formatted again (HOW?, Under which OS, with which tool, using what parameters, with which filesystem, etc., etc.)
4) ran Autopsy against the USB stick (HOW exactly?)
5) obtained two images that are the same (Are they actually the same?, Are they the same size? Or do they only look the same? Which extents does the one and the other occupy? Or if you prefer do you obtained two separate files or two pointers to the same file/extents?)
Anyway, I had a look at my crystal ball ;), and very likely the f0000000.jpg comes from the Photorec Carver Module:
https://sleuthkit.org/autopsy/docs/user-docs/3.1/photorec_carver_page.html
But the image (same extents) had already been found (as image1.jpg) by a previous scan of the gilesystem or of its remnants.
jaclaz
@jaclaz, I don’t know why you think I’m not clear?
I have a 16GB USB drive and contained a word document then I’m formatted my USB on Win10 after that I put image1 and deleted it to investigate if autopsy recover both image1.jpg and word file but autopsy just recovered image1.jpg, two times with two names, first image1.jpg and second f0000000.jpg
There is no partition in my USB stick and I’m not used Linux in my case therefore I’m not mentioned it, as you know the standard file system for USB Stick FAT32.
I made diskimage .E01 of my USB stick
Still not clear?
You made an experiment, and you were baffled by the results.
Then you asked for the explanation of these results without detailing the conditions of the experiment.
If you format in any windows after Vista without using the /q or "quick" option, the device is filled with zeroes.
So if you wrote to the device a file and later formatted (without /q or "quick") the file is overwritten by 00's and cannot be recovered.
Then you write a file and delete it.
When you delete a file, the file can normally be undeleted/recovered.
The undeletion gave you as result the file image1.jpg
The carving of the volume gave you as result the f0000000.jpg.
Results of the experiment are exactly as expected.
A wiped (overwritten with 00's) file cannot be recovered, it is gone.
A deleted file (actually a file marked as deleted in the relevant filesystem indexing structure) can be undeleted/recovered, keeping the original filename and possibly filesystem metadata (dates/times/attributes/permissions/etc.).
The same file (the same extents on disk, possibly contiguous) will be carved and recovered with an arbitrary filename (and with newly created metadata).
Let's see if I can explain with one of my half-@§§ed book analogies.
You take a book:
https://books.google.it/books?id=YqfPAAAAMAAJ&printsec=frontcover#v=onepage&q&f=false
It has an index (or contents) on page XV, that tells you that Chapter 2 begins on page 5 and is titled "The Mail".
The incipit (first sentence) of Chapter 2 is "It was the Dover road that lay, on a Friday night late in November, before the first of the persons with whom this history has business.".
Now, imagine that you rip off the book page XV.
It will be trivial to find by simply flipping the pages, that there is on page 5 a "Chapter 2" which is titled the "The Mail", and thus you can "recover" the first sentence "It was the Dover road that lay, on a Friday night late in November, before the first of the persons with whom this history has business.".
You have "recovered" the sentence with all its metadata (Chapter #, title, page #).
Now imagine that a madman has cut out off each page the page number, has unbound the book shuffling the pages and has used liquid paper to delete the chapter numbers and their titles.
In some time you can go through each page until you find one that begins with "It was the Dover road that lay, on a Friday night late in November, before the first of the persons with whom this history has business.".
You have carved the sentence (but have no idea about the Chapter #, its title or the page #).
jaclaz
