Hi everybody,
I am working on that case where I need to make a report about deleted files, how many files were deleted, by who…
The defense have already asked an external company to make the same job. I have their report. They used the software RecoverMyFiles.
In their report, they say that in the folder of interest, there was more then 5000 files before date X, and now there is only 700. In fact, when I check in EnCase, there is only 700 files present in that folder.
The thing is that I don't know how the software RecoverMyFiles works and what is it looking at to be able to say that there was 5000 files there ?
Anyone used that soft ?
Thanks
Some DIY software products I think allow recovery of files onto the same drive,. This should never be allowed.
Are you processing a physical drive, or a secure image/clone of the original?
If files have been written to the drive then evidence will be lost.
Assuming the drive is NTFS, I would do a scan for all MFT entries on the drive.
You do not say what type of files are being looked for. If it is .DOCX, or XLSX, JPEG files I would possibly try data carving and (with the correct carving software) work on file dates. This will need a lot of processing, but may find the files you require.
There are many approaches, but they will vary depending on file type being looked for.
The case is quite unusual and the way that the evidence was handled even more "anti forensic".
The company who did the search with RecoverMyFiles, plugged the hard drive as a secondary disk… In fact, at the beginning of the case, this wasn't supposed to be a criminal case. The company just wanted to recover their lost files. That's why they called a private company. After they discovered that the files were stolen and the case came to us.
I am working on a secure image of the hdd and I am using EnCase.
This is NTFS file system running on Windows Vista.
I am not asked to recover deleted files. Just to determine how many files were deleted from a specific folder and by whom. So I don't need to do carving.
I just don't get how the soft RecoverMyFiles says that there was 5000 files on that folder ? It is based on what ? The MFT entries ? The VSS ? (by the way tried to look into VSS but nothing there… ).
What tool would you use to scan the MFT ? I am looking for a particular folder's content.
Thanks
Hi,
I had similar issue in a criminal case and what I did is that I analysed all MFT entries (File name attributes as well as Standard information attributes if they mess with timestamps) pointing to the parent folder of interest and that includes files and sub-folders. Of course I had to explain that there is possibility that some of MFT entries of interest were overwritten due to NTFS way of working, time of use that drive after delete action have taken a place and intensity of use. However I managed to prove that folder containing around 30 files have contained AT LEAST 300 files with possibility that number was even greater.
Details regarding this type of analysis can be found here
http//
I am not asked to recover deleted files. Just to determine how many files were deleted from a specific folder and by whom. So I don't need to do carving.
Well, with all due respect ) you shouldn't exclude a method/approach aprioristically, if data carving is needed to obtain the wanted result, then you do data carving, if it is not you don't.
What tool would you use to scan the MFT ? I am looking for a particular folder's content.
You have two possible ways.
#1 use another "file/filesystem recovery" tool, in which case I would suggest DMDE
http//dmde.com/
#2 simply dump the $MFT in which case I would suggest you this tool by Joakim
http//www.forensicfocus.com/Forums/viewtopic/t=8010/
https://
but I would also check the NTFS $LogFile and $Usrjrnl with the other tools.
Please consider also how specifically you are working more on "hearsay" than anything else, the RecoverMyFiles software may well provide (or have provided in the hands of the "other" examiner) "false" data.
RecoverMyFiles (which is basically a file oriented recovery program and not a filesystem oriented one) actually does automatically some form of file carving and it may well consider a "hit" any kind of digital garbage.
If I were you I would anyway verify what RecoverMyfiles finds NOW on that hard disk, then forget about its reported result and simply throw at the stupid hard disk each and every recovery tool or technique available to try and recover the files.
The notion of "there were 5000 files and now there are 700" should be read more as "the specific RecoverMyfiles software detects traces leading to believe that at a given date/time (if this detail is provided ? ) there were 5000 files while currently only 700 are accessible/recoverable", re-testing with other tools, namely x, y, z led instead to … (or confirmed the results of RecoverMyFiles).
jaclaz
Thanks for the advises.
I looked in the $MFT and that helped me a lot.
I also tried this
Using VMWare with a SIFT VM created by SANS with some really cool open source tools like Mantaray. This is open source so it's not Forensic but it can give you an idea of what you are looking for.
In my case, I tried to use it with the Timeline feature. This feature creates a timeline in a CSV document. It's raw information but if you are looking for what happened on a specific date, this can help you. This is the theory.
In practical, it didn't work for my case… ?
As I have little time left for my case, I don't have time to play with it and find out what the problem was. Also I was told that if the process crashes, you can spend a lot of time and at the end finding out that in won't work at all on your case. So I moved on.
If you have time to test it, give me your feed back.
http//
This is open source so it's not Forensic
incoming……..
This is open source so it's not Forensic
incoming……..
Can I get a "grit teeth" icon?
Can I get a "grit teeth" icon?
Be my guest )
jaclaz
Here are my 2 cents.
You said you already used encase.
I think what you should do next is verify the results you get from encase with the ones from the software used by the other company, and then verify with a third software.
Consider that generally software that are specific for data recovery (in my experience) are more efficient in detecting and recovering deleted data.
For instance i managed to get better results in how many files i was able to find and recover, by using R-Studio then by using Autopsy.
This is because, as far as i know, Autopsy limits itsef in parsing the MFT, while R-Studio uses a more complex approach by trying to recover metadata from unreferenced areas of the filesystem.
So yes, it's indeed possible that RecoverMyFiles (i've never used such tool) shows more deleted files then encase does.
But the point is, why are YOU in charge of explaining why their result is "better" then yours? (in term of data recovery), isn't the other company's duty to document the way they worked, and why their software produced such a result?
Being able to explain and document the result is part of a forensics examiner job.