Do any of y'all know what it means when the $I metadata file is missing from the Recycle Bin? The data itself is still there, but not the metadata $I file.

Posted : 26/06/2018 12:11 am
What is the status of the $R file? is it allocated or deleted?

Posted : 26/06/2018 6:48 am
What tool(s) are you using to show this? I recall seeing it where the data was recovered by some tools but they would only display one of the files in the recycle bin. Can't remember which tool I saw it in but sounds familiar.

Check with another tool to see if it shows the same thing?


Posted : 26/06/2018 2:26 pm
I have seen this most often when the recycle bin has been emptied. So that both the original file in the bin($R) and the information file ($I) have been marked as deleted and in normal usage of the file system the MFT record has become overwritten for the $I and hence the forensic tool cannot identify the $I and hence the tool cannot give back the original name for the $R.

I know EnCase will give back the original name if both $I and $R file are present in the recycle bin.

If the $I file is missing (using the example as above with the $I mft record being over written) I would use the $USNJRNL to try to identify the original name of the $R

Posted : 26/06/2018 4:05 pm
