I have a forensic image of a Windows 10 machine from which a former employee's User Directory was deleted.
The former employee is now subject of an investigation, so I am attempting to recover the deleted User Directory.
I am running IEF and Forensic Explorer on the forensic image now and carving for deleted folders and files.
QUESTION
Is there some location in the Windows Registry or elsewhere which would indicate the start and end sector for the now deleted User Directory?
I am hoping I could just "bulk carve" the sectors on the drive image where the deleted User Directory resided.
You should follow simple steps to recover files and folders
1. Perform data recovery on the forensic image
a. The deleted or lost files and folders will be available for recovery .
2. Perform Data Carving to extract specific file formats
a. Data Carving should be always performed on the un-allocated clusters as after deletion the files are removed from the Master File Table. They exist in the un-allocated space. Data recovery would be able to recover complete files or folders. Data carving can find bits and pieces of the files even if the data was overwritten.
Recommendation
Upgrade to Magnet AXIOM- Upgraded version of IEF.
It will recover and carve data . Also arranges them in form of artifacts and file explorer.