Hi all,
What are actually found after we run Recovered Folder in EnCase?
Is the result of this search found in the "Lost Folder"?
Thanks!
What version of EnCase are you running?
… In NTFS.. The Program will Parse through the MFT and any recovered folders are put in the "Recovered Files" Folder (in v. 5)
In a FAT file system you will have "Recovered Folders" Folder listed under the ROOT directory (it's virtual)…
When EnCase mounts a file system it searches the MFT. If a parent folder for an entry cannot be located it goes into the lost files. Recovered Folders are folders parsed from the unallocated clusters of the MFT. wink
I'm using version 5.05f.
Can I safely say the file in recovered folder were actually deleted files?
I'm using version 5.05f.
Can I safely say the file in recovered folder were actually deleted files?
Not necessarily. This is because Encase is interpreting unused or redundant parts of the file system to indicate what is recorded as being situated in certain clusters. Some (probably most) of the time it gets it right but sometimes it gets it horribly wrong. Therefore you have to do some sanity checks. Is the jpg realy a jpg, is the file length correct and so on.
However generally the files in recovered folders are deleted or not referred to by the current file system.
Regards