I can't seem to find a folder and some files I deleted from my recycling bin in FTK Imager. They were deleted from a folder in the C Drive. Anybody any suggestions or advice on how to find these in FTK?
As its name suggests FTK Imager's primary purpose is imaging. Sure, you can open or mount an image and look at the file structures it contains, but you'll need to use other tools to do data recovery or analytic work.
Based on what you've shared, it's likely that the MFT records (assuming NTFS) have already been overwritten. This could very likely be the case, as Windows systems can be extremely "noisy", even when apparently sitting idle…
If the drive has not been used, a recovery program stands a good chance of finding your deleted files.
Also allow for the case that the directory has been overwritten, but the files still 'exist' as orphan files. I often do a scan of ALL MFT entries and then recreate partial directories when parent nodes are missing.
If standard recovery does not find what you want, you can alway try data carving
Hey, I searched just about everywhere on FTK Imager including the [orphan] part and even downloaded another recovery software called Pandora Recovery, ran a scan on that and still couldn't find it. So, I'm just gonna assume it has been overwritten.
Thanks for all of you're suggestions, they are much appreciated.
Hey, I searched just about everywhere on FTK Imager including the [orphan] part and even downloaded another recovery software called Pandora Recovery, ran a scan on that and still couldn't find it. So, I'm just gonna assume it has been overwritten.
I'm not exactly sure what process Pandora Recovery uses, but just because you aren't seeing the files in FTK Imager doesn't necessarily mean that the content has been overwritten. Like the others mentioned, it sounds like the MFT records have been overwritten. Your best option here may be to try data carving if you need to recover the files.
Your best option here may be to try data carving if you need to recover the files.
There are a number of tools you could use (foremost, scalpel) but the easiest to use is photorec which is part of the
Paul
I'm going to make a few assumptions before offering up some advice
1) I'm assuming you're using Windows Vista or 7
2) I'm also going to assume that the file you're hoping to recover was a file from the local machine and at one time existed on your local hard drive and not a network drive or attached device
If those assumptions are correct you may be able to recover the file using a Volume Shadow Copy mounted to the root of your C drive.
Start by running the command prompt as Administrator. Then type vssadmin list shadows
This should bring up a list of Volume Shadow Copies (formerly known as Restore Points in XP).
Look at the created dates for each one and try to find one just BEFORE the file was deleted. If you find one close in time, remember the number.
Then type this
mklink /d c\FileName \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopyX\
In the above command, REPLACE "FileName" with a name of your choice. This will be the folder name that will show up on the root of your C drive. Also, REPLACE the "X" after VolumeShadowCopy with the number of the shadow copy you noted to be just before the file was deleted.
This command will mount the VSC to your C drive and you can then navigate to where the file existed previously to recover the deleted file or folder. This can all be done without the use of any forensic tools, but it's also applicable in forensics as a way to mount your target's image file and browse around in their VSC's. I've recovered some very useful evidence this way.
Hope this helps.