Hi,
Very new to the world of digital forensics so apologies if this is an obvious question…
I'm currently working on a system where the user has deleted a .jpg file. The $I metadata file appears within the recycle bin but there is no $R file. The .jpg also has three different $I files within the recycle bin with different deletion dates. The .jpg was deleted from the same location so I assume the user restored the image before deleting it again.
Why would there be $I files but no $R files? There are $R files for other deleted files.
Thanks
There could potentially be a number of reasons for what you're seeing…have you created a timeline of system activity? If so, did it show you anything of interest?
Perhaps try to carve the recycle bin and/or MFT to recover the "missing" $R file.
Is it possible the JPG file was restored, meaning it is currently NOT in a deleted state, before you imaged the computer? This might explain why there is no $R file.
A low tech option but if you have VFC (or know how to do it manually) you could boot a virtual version of the machine and go look in the recycle bin.
Thanks for the replies.
NathanC - Sorry, should have said in my initial post, I've checked the Recycle Bin in VMWare and the original file is not there.
UnallocatedClusters - I have the full system image. The only mention of these files are the $I files within the recycle bin.
I'll take a look at the timeline of events.
Thanks
Just thought i'd report back on this in case anyone else comes across the same thing in the future.
Following some testing on the system, it would appear that by restoring the file from the Recycle Bin removed the $R but left the $I behind. So in this case the person had deleted the file three times and restored it three times which created the three $I. On the forth deletion, the user has deleted the file from his Recycle Bin which also removed the $I.
Windows 8 machine.