I need help with some basic questions. Looking on the web I have gotten conflicting information. Thanks in advance for your help. A lot of questions from this newbie
- Is Metadata definitively or generally lost when you completely delete a file?
- When I run Recuva I get MAC dates but they are all the same?
- Are filenames and paths lost when you completely delete a file?
- How are clusters allocated - first fit? Does this put all clusters in the beginning of disk thus allowing unallocated clusters to be overwritten?
- How do you find out when a file was deleted?
- There is no reliable Metadata from carved files. Correct?
Thanks again.
I need help with some basic questions. Looking on the web I have gotten conflicting information. Thanks in advance for your help. A lot of questions from this newbie
- Is Metadata definitively or generally lost when you completely delete a file?
No - depends on file system. NTFS typically OK, MAC typically lost- When I run Recuva I get MAC dates but they are all the same?
??- Are filenames and paths lost when you completely delete a file?
Depends on file system and how much is deleted. NTFS often info can be reconstructed, but not on a MAC- How are clusters allocated - first fit? Does this put all clusters in the beginning of disk thus allowing unallocated clusters to be overwritten?
Depends on operating system - but generally starts at start of disk- How do you find out when a file was deleted?
Depends on file system- There is no reliable Metadata from carved files. Correct?
The file meta data still exists, but not the file system metadataThanks again.
I am sorry I meant Modified Accessed and Created (MAC)
I also meant to say that all questions are geared to NTFS
What do you mean by "completely deleted"?
Put in Recycle Bin?
Empty Recycle Bin?
Scrub/wipe/erase?
Cheers
Homework questions I take it….
Homework questions I take it….
Clearly something along those lines.
How about post the conflicting information you've found so far and we can help set you on the right path.
- Is Metadata definitively or generally lost when you completely delete a file?
Depends on the metadata. Metadata contained within the file goes with the file. Metadata such as the MFT record for the file will persist until the record is overwritten.
- When I run Recuva I get MAC dates but they are all the same?
I'm not familiar with Recuva, but you should consider learning more about your tools and how they work.
- Are filenames and paths lost when you completely delete a file?
If by "completely delete", you mean that the file is no longer in the Recycle Bin, then I'd suggest that the answer is "maybe".
When you delete a file in NTFS, the MFT record is marked as not in use, and is therefore available to be overwritten. As long as the record is not overwritten, AND the sectors that comprise the file itself are not reused, you would be able to recover both the file and the full path.
If the file you deleted is resident (as opposed to non-resident) the same thing applies…with the exception that you won't have to follow the data runs.
- How are clusters allocated - first fit? Does this put all clusters in the beginning of disk thus allowing unallocated clusters to be overwritten?
I'm not sure that I understand your second question…sorry.
- How do you find out when a file was deleted?
It depends on how it was "deleted". If it was moved to the Recycle Bin, then
- There is no reliable Metadata from carved files. Correct?
Again, it depends on what you mean by "metadata".
If you're referring to the NTFS MFT record associated with a file, let's consider this by walking through the thought process. Let's say you delete a file, and through the course of time (sec, min, hours, etc.), part of it is overwritten and the MFT record for the file, which was marked as not in use when the file was deleted (ie, not sent to the Recycle Bin) is reused. Then you carve unallocated space, and recover a portion of the deleted file…what do you have available to you with respect to metadata?
HTH