I have a strange issue. After analysing an image using FTK version 1.7 I have found that a file $I30 exists in each directory. I understand that this is unique to FTK and comprises of attributes from the MFT. This is basically an index list of files that have exisited in the directory.
The directory in question is \username\documents and settings\microsoft\office\recent i.e. the shortcut directory of MRU's for office
in the $I30 file a link .lnk shortcut is referenced, however I cannot find this shortcut or any file that relates to the entry in the $I30.
I would welcome any observations on this , furthermore I would also like to understand how if a file has been accessed via an office application where, when and how the shortcut would be removed. Obviously if a file is renamed or moved off the hard disk it would not have any information left behind regarding the original file name but surely the original .lnk would still exist. I have read extensively on this subject but cannot find any reference to this type of issue.
re. $I30
Thx but I have already seen this, it doesn't answer the fundamental question at the heart of my post , which is where are the files that are referenced in this index. Or where and how the lnk files can get removed without any artifacts being left behind.
Cheers
The directory in question is \username\documents and settings\microsoft\office\recent i.e. the shortcut directory of MRU's for office
I can't say that I've ever seen a system with such a directory. Usually, such dirs exist such as "\Documents and Settings\username\…"
For example, I found this link (http//
What operating system (ie, version of Windows) and which version of Office are you dealing with?
I would welcome any observations on this , furthermore I would also like to understand how if a file has been accessed via an office application where, when and how the shortcut would be removed. Obviously if a file is renamed or moved off the hard disk it would not have any information left behind regarding the original file name but surely the original .lnk would still exist. I have read extensively on this subject but cannot find any reference to this type of issue.
Perhaps some Registry analysis would give you some indications of when the file may have been accessed and the lnk file created, giving you a timeframe with which to associate other activity.
HTH,
Harlan
harlan you are correct it is "\Documents and Settings\<user>\Application Data\Microsoft\Office\Recent",
It was a typo on my part.
Simon
What you see in FTK is really a mischaracterization of an attribute, which is what the $I30 is. FTK treats it as a file. The directory attribute may list the directory's contents, even after the contents are gone.
Jimmy,
Good call. Brings "knowing your tools" back into focus.
Simon,
"It was a typo on my part."
Wow, I'll say. Makes a HUGE difference!
i appreciate all your information regarding FTK, but it really isn't telling much more than I had already found out.
i am still interested in knowing about the shotcuts / lnk files created by office and how the can be deleted.
As per Harlans advise I have already scanned the registry for any files that have either been accessed or created and have found nothing that relates to the file name in the $I30 file.
Any further ideas / information is appreciated.
Link files simply can be deleted at the user's whim. Many privacy tools delete links by default. There also may be a number beyond which XP will delete the links. However, in those scenarios, it's not surprising to find references to the deleted link files in the $I30 attribute, although there's no guarantee that the attribute will maintain such references indefintitely.
Jimmy these link files cannot be deleted by the user as they do not have rights in that folder to delete the files, under this particular build of WXP. Which brings me to my orginal point on how the office apps delete or carry out housekeeping. As you are correct the $I30 shows that this file existed.
Anyone who has an insight or can direct me in the direction, I would appreciate their help.
Simon