Join Us!

$I metadata file mi...
 
Notifications
Clear all

$I metadata file missing from Recycle Bin  

  RSS
Samuel1
(@samuel1)
Member

Do any of y'all know what it means when the $I metadata file is missing from the Recycle Bin? The data itself is still there, but not the metadata $I file.

Thanks everyone!

Quote
Posted : 26/06/2018 12:11 am
mansiu
(@mansiu)
Member

What is the status of the $R file? is it allocated or deleted?

ReplyQuote
Posted : 26/06/2018 6:48 am
mcman
(@mcman)
Active Member

What tool(s) are you using to show this? I recall seeing it where the data was recovered by some tools but they would only display one of the files in the recycle bin. Can't remember which tool I saw it in but sounds familiar.

Check with another tool to see if it shows the same thing?

Jamie

ReplyQuote
Posted : 26/06/2018 2:26 pm
hommy0
(@hommy0)
Member

I have seen this most often when the recycle bin has been emptied. So that both the original file in the bin($R) and the information file ($I) have been marked as deleted and in normal usage of the file system the MFT record has become overwritten for the $I and hence the forensic tool cannot identify the $I and hence the tool cannot give back the original name for the $R.

I know EnCase will give back the original name if both $I and $R file are present in the recycle bin.

If the $I file is missing (using the example as above with the $I mft record being over written) I would use the $USNJRNL to try to identify the original name of the $R

ReplyQuote
Posted : 26/06/2018 4:05 pm
Share: