All,
I need to acquire just a user directory/folder under windows, with all the associated files both deleted/slackspace and allocated. I do not want to image the entire drive since all I am interested in is the "c\documents & setting." Logical acquisition using FTK won't give me the data in slack space deleted by the user. Is there any way to recover files deleted by a user without imaging the whole disk? Are there tools that can do this?
Sorry for this question. In theory, I don't think it is possible to recover deleted files, without a full-blown drive acquisition. Then again, I want to be absolutely sure.
Thanks in advance – ii (i2
I may be being dense now, but i dont see how you can logically acquistion a folder and expect to get the slack space and deleted files, as logically the deleted files could be scattered across the entire physical hard disk.
i dont beleive that there are any tools which can do this, unless you just run an undelete program on the PC itself, but i woundnt recommend that.
Though i imagine such a look would have to scan the MTF, find files which have been flagged as deleted, run a "boolean if file was located within <file path> then include in logical image", Obvioulsy Orphan files would never be included due they're nature of existence.
though i look forward to someone correcting me, as its been a long day and i imagine i've missed something really obvious (more obvious than the spelling mistakes)
Would be a cool project for a final year MSc Sutdent.
EnCase v6 Logical Evidence Files "These let you selectively choose exactly which files or folders you want to preserve, instead of acquiring the entire drive. Unlike copying files from a device and altering critical metadata, logical evidence preserves the original files as they existed on the media and include a wealth of additional information such as file name, file extension, last accessed, file created, last written, entry modified, logical size, physical size, MD5 hash value, permissions, starting extent and original path of the file."
If you were hoping to recover an item which may currently reside in slack space you cannot limit yourself to just the files/folders within a specified folder because they may exist in the slack space of a file which is located in some other folder on the drive now.
If you're just looking to undelete some files, you don't necessarily have to perform a full acquisition of the drive. A network preview using EnCase or booting up into Helix or BartPE w/ a file recovery plug-in wuld be enough to do some scans for the file(s) in question. Then simply recover them to a USB flash drive and ta-da! The files have been undeleted in a forensically sound manner without having to perform any imaging.
Jeff