Do any of y'all know what it means when the $I metadata file is missing from the Recycle Bin? The data itself is still there, but not the metadata $I file.
Thanks everyone!
What is the status of the $R file? is it allocated or deleted?
What tool(s) are you using to show this? I recall seeing it where the data was recovered by some tools but they would only display one of the files in the recycle bin. Can't remember which tool I saw it in but sounds familiar.
Check with another tool to see if it shows the same thing?
Jamie
I have seen this most often when the recycle bin has been emptied. So that both the original file in the bin($R) and the information file ($I) have been marked as deleted and in normal usage of the file system the MFT record has become overwritten for the $I and hence the forensic tool cannot identify the $I and hence the tool cannot give back the original name for the $R.
I know EnCase will give back the original name if both $I and $R file are present in the recycle bin.
If the $I file is missing (using the example as above with the $I mft record being over written) I would use the $USNJRNL to try to identify the original name of the $R