So I've got a suspect computer (formatted with NTFS) with tons of contraband files on it. Well, there *used* to be at least. The file names are clearly those of contraband, but the problem is that they're all orphaned files. The files in question all have access times that are very close together, leading me to believe he either recycled or deleted them all at the same time.
I'm trying to recover any image that he deleted, but they all appear to be empty. The sectors that the MFT entry is pointing to are all zero, but I'm trying to figure out how this happened. Does this happen during normal operation when a parent directory is deleted? It was my understanding that the children should still have data there.
Any help would be appreciated on how this could have happened or how to recreate these files!
So I've got a suspect computer (formatted with NTFS) with tons of contraband files on it. Well, there *used* to be at least. The file names are clearly those of contraband, but the problem is that they're all orphaned files. The files in question all have access times that are very close together, leading me to believe he either recycled or deleted them all at the same time.
I'm trying to recover any image that he deleted, but they all appear to be empty. The sectors that the MFT entry is pointing to are all zero, but I'm trying to figure out how this happened. Does this happen during normal operation when a parent directory is deleted? It was my understanding that the children should still have data there.
Any help would be appreciated on how this could have happened or how to recreate these files!
Try to find out if he used some particular uninstaller software or eraser, like Secure Eraser o something like this…
Good luck
———————-
Nanni Bassetti
Selective File Dumper - http//sfdumper.sourceforge.net/
Presuming that the recycle bin is cleared
Access Data has a paper on NTFS Orphan files here
http//
HTH
paul
Well, I think I have a little more now. I found some .lnk files indicating that he was viewing these same orphaned files on another drive (or possibily partition) labelled "I". The lnk indicated it was a fixed disk. FTK Imager reports *only* partition 1 and partition 5 on the computer. He definitely had the drive mounted at one point, since it appears on his mounted devices in the registry.
I'm checking for secure erase software, but so far I've found nothing. I know this guy possesed multiple contraband files, but I really have nothing at this point.
Have you tried the entries in the likes of Real Player or media player for movie files or AcdSee etc for stills to see if there are any references to the files and there location.
What about thumbs db files etc. You may find some trace if there are any of them or if your really lucky and he has Acdsee on you may find images in the AcdSee db file but you will need the specific viewer to access it