Hi There
I am doing an investigation on a Vista machine. But would like to confirm something.
I have run the folder recovery on the machine. But it looks like all the files that where recovered are also still live on the system.
My question is why would the files that are under the recovered folders also still be live on the system? I can open them and they are all viewable.
Thanks
Volume Shadow is probably the main culprit.
I have run the folder recovery on the machine. But it looks like all the files that where recovered are also still live on the system.
My question is why would the files that are under the recovered folders also still be live on the system? I can open them and they are all viewable.
This question (or a very closely related one) was recently asked and answered on the Guidance support forum – if you ask technical questions about Encase, that is often the best place to get answers – at least to start with.
As far as I understand it, recovered folders are traces of folders from unallocated blocks and from other places on the disk. As such, they may very well contain information that is still present in active directories. The main interest is probably that they also may indicate files that are no longer present.
But note – it is not the files that are recovered, as you say, but the folder contents. (If you view a folder as a kind of special file, containing information about other files, it may be easier to grasp the idea.)
Look a the location of the MFT record is it in the physical location as the 'existing' MFT record - i.e. has encase found the same MFT entry twice.
If it is a different MFT entry look at the allocation for the file in recovered folders - is it the same as the allocation for the existing file. Do you have two MFT entries pointing at the same location or is it two different copies of the same file.
it looks like all the files that where recovered are also still live on the system.
Out of curiosity, are you unsure as to whether or not these files are live? I ask this because you have said they look like they are live.
I can open them and they are all viewable.
A deleted file would still be viewable, as the file data remains behind on the disc until such time as it gets overwritten. This is exactly what I would expect if EnCase had recovered a file.
What does EnCase report in the 'Description' column for one of these files?
Hope this helps
Ben
'j2222' has it correct.
VSS stores data in 16kb blocks - in the clear.
The recover folders operation simply searches for MFT records in unallocated (which can include VSC blocks) and then parses the contents.
There are many MFT records stored in these volume shadow copies.
A request to fix this was made by 'j2222' and Guidance Software has acknowledged the issue.
Thanks for all the help guys. I am going to go through all your suggestions and get back to you.