Finding out when a drive was formatted

Depends on what operating system (if any) existed on the disk beforehand. So your first priority would be to answer this question, and then when you know that bit of info you need to think about what sort of places would have stored times and dates. If they exist, the last entry in system event logs would be a good place to start.

Its a LBA EXT partition

Cloudy,

If you have an NTFS formatted partition now you could reasonably expect the dates and times of the internal files will be your format date.

These dates and times will be based on the system clock of the computer the drive is in but of course it could be the drive was formatted by another machine and put in this one. Or is it a loose drive? Even worse.

You could dig alot deeper and look for embedded dates and times within files in unallocated space (if any exist) and indicate it must have been after all of these dates.

There is still so much more you could do. Jonathan mentions recovering log files for example. It all depends on how important it is to establish the likely date of format. In more than 200 criminal cases I've never been required to establish the date a partition was formatted.

If this is a theoretical question then the answer is; there is no simple 100% certain way of determining the exact date. Given the factors to consider you might say there is no complicated 100% certain way either.

Steve

My initial thought is if "everything" is in unallocated, it hasn't been formatted, but fdisked.

edit- oops, I didn't see the remaining files. sorry. Are you sure it's an EXT partition? I've never seen a recycled folder on one. At least as part of the filesystem anyway. As was said before by a previous poster, you could get the date created of the mandatory file system files to get a general idea. But also as was said before, this is relative to the system time of the machine that formatted it.