Hello,
I have a question regarding rolling back restore points and the contents of the recycle bin.
I have 3 restore points that track relevant deletions. I created a symbolic link to the restore point so that I could view the state of the device at that point in time in EnCase. I also used a virtual machine to rollback the device to these three restore points and examine the contents.
The 3 EnCase states were
1) no deleted items
2) deleted items of note
3) no deleted items because the user had restored them
The $I file indicates that the deletion happened between state 1 & 2 which is to be expected.
However when I rolled back the restore points using virtual machine the only changes were 4 executables were deleted between state 1 & 2. Apart from this the same 100 items were in the recycle bin the entire time and therefore did not show the change that EnCase showed.
I am trying to determine what the user was looking at in the recycle bin when they booted the device before the restoration that took place in state 3.
I have asked a few colleagues who did not have an explanation (unless they were trying to stitch me up!) so hopefully this question is not too stupid!
Can anyone explain this for me?
Thanks