Great insight I am getting here. I am sure I did not put them there and regarding your question, You might be right they might have been in those sectors before I started using the machine. The laptop was not acquired brand new more than 5 years ago. It was formatted once though.
regards
Great insight I am getting here. I am sure I did not put them there and regarding your question, You might be right they might have been in those sectors before I started using the machine. The laptop was not acquired brand new more than 5 years ago. It was formatted once though.
regards
Wait a minute.
Formatting under XP does not clear the contents (starting from Vista, unless you use the "quick" format all sectors are zeroed), so, unless the disk was wiped anything that was not overwritten later is still there "as it was" (while of course each and every "current" $MFT and other filesystem metadata won't have any trace of that).
If this is the case, check the EXIF data of the images, if you can find dates that are preceding the time you bought the used PC (AND you can find no later dates), then this would be the most likely explanation.
Imagine a hard disk as a library (the actual physical shelves with books on them) and the $MFT (and other NTFS metadata) as the set of library cards on which you record where the books are on the shelves and when you lend them and when they are returned.
You can well remove a book entry from the card set leaving the book in its place on the shelf.
The book becomes "unallocated", but until you physically remove the volume from the shelf (by replacing it with another book) it will still be there.
When you do a non-wiping format on a hard disk it is exactly the same thing as if you throw away your set of library cards and start with a new, blank set, the whole library will appear empty on the set while it is possibly full of books.
In other words your data is not reflecting the actual physical status.
On the other hand, a distracted librarian may well remove a book from a shelf (or add one or replace one) without updating the card, let's call this "direct access", the database information is as well out-of-sync with reality.
jaclaz
Thankyou Jaclaz for explaining this to me. I will need to view the EXIF files as well and look at the dates. This is very helpful information. The example of the Library makes it more easier to understand.
Best regards )
The example of the Library makes it more easier to understand.
… and wait until you find out about mad typographers and crazy hotel guests (and lazy maids) wink
https://www.forensicfocus.com/Forums/viewtopic/t=5150/
jaclaz
Another simple, and more likely scenario (much more likely than someone mysteriously putting pictures on your drive) is that the HDD is a refurbished or reused drive and it wasn't wiped fully.
For example, if this is a laptop, perhaps someone bought the laptop before you then returned it to the store. At the store, they simply restored the computer using the recovery partition without actually wiping the drive. Then, later, you purchased the computer which already contained some remnant unallocated data. Because the files aren't referenced in the file system post-restore they'll naturally be missing things like creation/modification timestamps.
I've seen more than a few times where we did data recovery projects and the customer found files that didn't belong to them. And we went back and confirmed the files were actually on their original drive before they brought it to us (our systems are all write-blocked so we can't write data to the originals). Usually, it's been times where they bought the computer from some mom and pop computer shop, but occasionally it's even been the big box companies.
Another simple, and more likely scenario (much more likely than someone mysteriously putting pictures on your drive) is that the HDD is a refurbished or reused drive and it wasn't wiped fully.
Queer use of "another", after two people already suggested that the images were likely leftovers and the OP stated how the laptop was bought used and only once formatted under XP.
jaclaz