Greetings,
I have the Guidance Software knowledge base explanation of Lost Files, I've reproduced the results, and I understand the MFT process/Lost Files folder. My question is this does the inclusion of a file in the Lost Files folder equate to a user purposefully deleting a/the file? There are quite a few files in the Lost Files folder from restore point files to my purposely deleted files… how does a file end up in the Lost Files folder if the user didn't delete the file?
My second question is this can anyone provide documentation or a link to documentation which would 'prove' that EnCase creates the Lost Files folder as an automatic part of displaying the acquired drive? In other words, proving that the examiner didn't do any further or deeper analysis in order to coax or cause EnCase to create and produce the Lost Files folder.
Thanks for any help!
Lynita
This was posted by Jeffery Misner. I want to give credit for the source.
What is the Lost Files folder?
EnCase has a different method (compared to FAT) for recovering deleted files and folders with NTFS evidence files. When you add an NTFS Evidence file to EnCase, you will notice a folder added automatically to the evidence file in the case view called "Lost Files." In the MFT (Master File Table) in NTFS, all files and folders are marked as a folder or file, and are associated to a "parent."
Suppose you have a folder contain many files. Those files are its "children." For those files to become "lost," you delete them along with the folder itself. You then create a new folder. The entry in the MFT for the old folder is overwritten. So the original "parent" folder and its entry in the MFT are gone. But it's "children," while deleted, have not been overwritten, and their entries are still in the MFT. EnCase can then tell what those files are, but there is no longer any record of what folder those files were in. Because of this, all those files (without parent folders anymore) are lumped into the "Lost Files" folder that EnCase creates and places in the Entries view so that you can see those files.
Note There is no way you can see those deleted files without using specialized software like EnCase.
That is different from the recover folders feature, btw. Also note that Lost Files only appear for NTFS volumes since FAT does not work the same way.
This was posted by Jeffery Misner. I want to give credit for the source.
Even though this explanation wasn't yours, I still wanted to thank you for posting an excellent reference on this particular topic.
Jeff