just curious, using Encase ver 7.12, have a bunch of files and folders in "Lost Files". Does the creation date of these files and folders indicate this is the date timestamp in which these files and folders were placed into "Lost Files". The File Created timestamp of all of these files seems to indicate that a user deleted a main folder which subsequently deleted all the subfolders and files in that folder.
The time stamps of the File Created dates indicate that the files and folders were all deleted in rapid succession (eg the person probably deleted a root folder containing all the subfolders and files). So essentially, under Lost Files, I have have thousands of deleted files in there which all show a creation date that spans a few minutes.
thanks.
"Lost Files" in EnCase refer to deleted files with unknown parent, they are often called orphan files in other tools.
When a folder with files are deleted, all MFT entry will be marked as deleted. However, if the deleted folder entry is being reused, the deleted files can longer trace back to their parent. Thats how "Lost Files" are made.
When files and folders are deleted, none of those MAC time will be updated. So we cant determine the deletion time by simply looking at the MAC time.
So the answer for this question is No
Does the creation date of these files and folders indicate this is the date timestamp in which these files and folders were placed into "Lost Files".