How can we search for deleted file without aquiring the whole drive?
In FTK is possible. but in Encase i dont see how!!!!
Is the examination media a physical drive or a forensics image?
Usually you can find the deleted files that EnCase recognizes by just clicking the green homeplate at the top of the evidence item, then clicking on the filters option in the lower right window, then applying the "Deleted Files" filter. This limits the display to the deleted files. The other common way to find files that don't show up that way is to click on the EnScript tab in the lower right window, selecting the "Case Processor" and under the Information Finders, select File Finder. I'm sure there are other ways, but those are two common ones.
Hope that helps a little. If not, give me a few more details, and I'll try to figure it out for you. I'm predominately an FTK user, but I try to keep my skill up with the other forensic tools as well.
Hi this is probably slight off from the topic, wat i'm trying to achieve here is to search and recover all deleted programs in unallocated cluster. I've green select the drive and run query with filter only deleted files and with condition executable files. Im not sure by doing the above whether the query accounts all deleted programs in unallocated cluster. FYI im using Encase 6.10, thanks in advance
Greetings,
Go to Enscript (bottom right), select Case Processor under the Forensic folder, select File Finder, select the types of files you want to find or add your own signatures, select whatever other options you want, click OK, select the checkbox for File Finder, click OK, let it run.
-David