Forgive me if I've misunderstood the issue here, but let me ask a dumb question
Can you see the data runs in the MFT record?
I have to admit my short comings when it comes to the $MFT. What I am looking to do is recover a .mpg video clip from a hard drive image (e01). The suspect admitted to me that it was downloaded via limewire and he had deleted it when his wife found it.
I am using EnCase (v5.05f). I found an entry in the $MFT for the file. Now what?
I have tried carving for .mpg files, but I get mp3, files that don't load, etc. The carve actually revealed thousands of files. I really don't have years to sift through it all.
Is there a resource somewhere that explains finding and recovering a file via the $MFT?
Thanks in advance.
Kevin
Kevin,
have you considered the file no longer exists?
When you delete a file, it is possible it's space on the HDD is taken up by another file, while the entry has yet to be overwritten. This will give you the name within the MFT but obviously no data.
It's kinda like a reversal of how images become unallocated - i.e the mft entry is overwritten but not the data, instead the mft is good, but the data is overwritten.
If the file exists then Encase should be listing it in the file view. In fact if the file is deleted and has been overwritten Encase will still list it - unless the parent folder has been removed and it's MFT entry is no longer available or is orphaned from the filesystem tree.
Have you tried running 'Recover Folders', it doesn't seem likely as you have a record in the MFT?
Failing that you will have to walk throught the MFT record until you find the data attribute and check for either a data run or the data in resedence (it would have to be really small for that, unlikely given it should be an MPG. The data run will give you the start sector of the file and you can see if that is now in use by another file.
If you don't feel up to that, post the hex of the relevant 1024 byte MFT record and perhaps some kind soul will decypher it for you!
If you have a complete MFT entry then yes, you can manually parse the data and rebuild the file. The problem with a large file, such as yours could be, is that it will likely be fragmented. The MFT entry will contain the location of each of the file's extents. You need to go to those sectors, copy the data out, and paste it in a simple text document (wordpad). Then just rename it .mpg. If you got it all it should work. Explaining the location for all this information (offsets) is a little more than I have time for right now. You should be able to find it, otherwise email me and I'll get it together when I can.