I am a retired computer forensic analyst, but occasionally do data recovery jobs for those unfortunates who still don't understand the concept of data backup. My query relates to a distant relly whose account was deleted from her computer by a stepdaughter. Yes of course it had her Masters' thesis on the drive and no, she had not backed it up. The stepdaughter evidently clicked No when asked if she wished to access the deleted data. I sat down with a colleague who has just completed his Masters Degree in forensic IT. We previewed the drive (320Gb SATA) using Encase 4. It came up just fine. The client's username showed only a few files, all created by other people using her login (don't ask) but there was no sign of numerous folders and files especially all her university work. The drive was 3 years old and appeared to be working OK. I could find many Word Docs in other login IDs but nothing for the client. My question is why? Applying Locard's principle, there should have been at least traces of the data somewhere on the drive. We searched current data, Internet files, deleted data, and unallocated clusters without finding a sniff of the huge amount of data that is normally associate with a Masters' thesis. My colleague was equally perplexed. Can anyone assist?
You do not say how much (if any) the drive was used after the files were deleted. A few large video files could overwrite everything.
Another thought is was the drive compressed with NTFS compression? If so, does Encase carve compressed unallocated space?
The drive was 3 years old and appeared to be working OK. I could find many Word Docs in other login IDs but nothing for the client. My question is why?
13th law of data recovery might be applicable if the data is not where you are looking you either aren't looking in the right place, or, it's right there, staring you in the face, but you don't see it.
The question you mentioned about wishing to access data seems a bit ominous – just now I only recall one scenario where something like that happens, and it's related to encrypted files (EFS) and deleted accounts/reset passwords/etc.
That's not something the average user would do, but … you might want to investigate if it's a possibility that the deleted user's file would have been EFS-encrypted.
if there is plenty of stuff in UA, but nothing of what you expect a sceptic might think that the data was never there to start with…
I might be inclinded to ask her if she could give you a few unique keywords that appeared in the thesis if you didn't do that in your initial search. You could do a keyword search and see if they appear anywhere on the disk and maybe you'll get lucky. It may come down to recovering portions of the thesis which she could get started on again.
Of course running a keyword search on a Microsoft document may be completely redundant if they were docx files.
Which OS was it? Is there a chance that you can retrieve the document from volume shadow copies?
Thanks guys. I did do a keyword search but turned up nothing that was useful. The data was allegedly in a folder named University and should have shown up in the KWS but it didn't. Lots of other references to University came to light but none were relevant. Paul, I quizzed her fairly firmly about whether the data was there in the first place, but she seems to be an honest person and had no advantage in dissembling. She has spent a bit of cash with local IT people trying to get this data back, so there seems no reason to doubt her. To the best of my knowledge Encase 4 carves everything on the drive, but I will check this one out with my colleague, as the drive would have used NTFS format. As for overwriting, we looked for recent usage, but after the catastrophe came to light there was almost no added data on the drive. We can discount that one I think. Common sense suggests that the data was never there. I thought that someone might have been messing with her mind by doing a switch of drives, but the circumstances don't support such an elaborate plot, and there was the evidence of other user accounts. I really must stop thinking like a suspicious cop.
13th law of data recovery might be applicable if the data is not where you are looking you either aren't looking in the right place, or, it's right there, staring you in the face, but you don't see it.
Are those the only two choices I get?
BobM I am sure you will have done this already and, working on the basis you know the person to be genuine about this matter and is not techie orientated, just out of curiosity no signs of virus/trojan (of the evidence eliminator type) causing deletion perhaps accidentially virus/trojan introduced by re different logins?
No USB attachments etc shown connected?
If the files were encrypted or compressed then a keyword search will not work however a keyword search for any known file names may find some indicators.
Assuming that the files were there then either
The were securely deleted or deleted and overwritten
or
They are still there (or some of them) and in a form that doesn't respond to a keyword search as carried out, this leaves compressed (either windows compression, docx compression or an archive file (zip) etc) or encrypted in some way.
I would initially suggest a couple of different approaches
1. get some file names and search for them, the file names usually would not be compressed and so should result in hits.
2. search for the file headers as nfts compressed data