Hello all,
I am a newer forensic analyst and have had a question that keeps bugging me. When an entity stages a file in the Recycle Bin and executes it from there or deletes it from there, without it being on the regular file system will there be an MFT entry for said file?
For example, an entity exploits a Windows system and creates Netcat in the Recycle Bin, and executes it to transfer files to an external host. Will the MFT have an entry for the file if the entry has not been written over?
I also understand that when a file is deleted the MFT entry is marked as available, in a normal Windows 10 computer that is used daily is it safe to say the entry would be overwritten within 24 hrs after deletion?
Thank you for all the help, I do apologize if my wording is confusing or it seems trivial.
The recycle bin is just an artefact of the user interface. From a file system perspective, it just a regular folder and everything in it will have a $MFT entry in the usual way.
Â
Jim
www.binarymarkup.com
I also understand that when a file is deleted the MFT entry is marked as available, in a normal Windows 10 computer that is used daily is it safe to say the entry would be overwritten within 24 hrs after deletion?
No, sorry.
NTFS File Recovery - SleuthKitWiki
The answer you got from Jim @jimc is right, but there is one more thing: $J. The Journal shows the truth.
It is impossible to say how long an MFT entry marked as deleted will remain. If for instance 1000s of files are deleted at one time, then it may be months before some entries are overwritten, if ever.
ie an entry may be overwritten on the next file create, or never.
Some disk defrag programs might purge unused MFT entries