$I metadata file mi...
 
Notifications
Clear all

$I metadata file missing from Recycle Bin

4 Posts
4 Users
0 Likes
1,095 Views
Samuel1
(@samuel1)
Posts: 63
Trusted Member
Topic starter
 

Do any of y'all know what it means when the $I metadata file is missing from the Recycle Bin? The data itself is still there, but not the metadata $I file.

Thanks everyone!

 
Posted : 25/06/2018 11:11 pm
(@mansiu)
Posts: 83
Trusted Member
 

What is the status of the $R file? is it allocated or deleted?

 
Posted : 26/06/2018 5:48 am
(@mcman)
Posts: 189
Estimable Member
 

What tool(s) are you using to show this? I recall seeing it where the data was recovered by some tools but they would only display one of the files in the recycle bin. Can't remember which tool I saw it in but sounds familiar.

Check with another tool to see if it shows the same thing?

Jamie

 
Posted : 26/06/2018 1:26 pm
(@hommy0)
Posts: 98
Trusted Member
 

I have seen this most often when the recycle bin has been emptied. So that both the original file in the bin($R) and the information file ($I) have been marked as deleted and in normal usage of the file system the MFT record has become overwritten for the $I and hence the forensic tool cannot identify the $I and hence the tool cannot give back the original name for the $R.

I know EnCase will give back the original name if both $I and $R file are present in the recycle bin.

If the $I file is missing (using the example as above with the $I mft record being over written) I would use the $USNJRNL to try to identify the original name of the $R

 
Posted : 26/06/2018 3:05 pm
Share: