A file was in the Kazaa shared folder has been moved to a folder named Kazaa, was then deleted using Windows 98. Question Once recovered the deleted files in the Kazaa folder, you can rebuild that was first place in the Kazaa shared folder? You can know the time of cancellation? What this leaves traces in the file system? An Italian expert claims that the FTK software can reconstruct the entire history of a deleted file. I do not think you can know the time of cancellation and you can not know which folder you copied. Tell me if I'm wrong, thanks.
Your wrong.
Thanks.
To explain without the full details is difficult but using INFO2 recycle bin records, deleted lnk files and recovered NTFS INDX records or recovered FAT folder directory entries, all the things you have stated are possible.
Ok but you can tell when it was deleted dall'hardisk?
date and time the file CANCELLATIONS
When files get deleted there is no single attribute or artifact generated that will tell you when this deletion occurred. However, files that get added to the recycle bin on a Win9x system will have an INFO2 record created and this can be used to approximate the time of deletion.
Read
File systems have to keep track of where files are stored (as in folders) and if files are moved from folder to folder or the folder and its contents are deleted, artifacts will remain indicating that the file once was stored in these folders or that these folders once existed but have since been deleted or renamed.
These artifacts can be in the form of MRU (most recently used)entries in the registry, LNK files or recovered INDX folder records or FAT directory listings entries.
It is very hard to explain when a file may have been deleted, but trust me when I claim that a good forensic computer analyst will be able to put these things together in such a way that most will be convinced by his or her evidence.
date and time the file CANCELLATIONS
JFYI
cancellation
http//
deletion
http//
You need to also post the filesystem on which this happened.
Win98 means GUI Win98 or Win98 Dos?
@neddy
How do you know it went through the Recycle Bin?
AFAIK FTK reconstructs *nothing* maybe an expert user using FTK may, though I doubt it, create a number of reports that give clues about the actual time when it happened, which may convince someone, but is a lot unlike *evidence*.
jaclaz
jaclaz,
I have to assume ( I have made a lot of assumptions in my reply as the info supplied was slight) that the deleted files passed through the recycle bin since the expert says he can tell when they were deleted.
FTK does reconstruct somethings but thats just semantics and without an expert to explain such things, FTK is like all tools, pretty useless.
'Evidence' takes many forms and sometimes the evidence is found in the form of an anomaly; in such cases it becomes the responsibility of the expert to explain such anomalies.
The weight of evidence in a case like this may be light, but the facts may be inconvertable if given a fair hearing.
jaclaz,
I have to assume ( I have made a lot of assumptions in my reply as the info supplied was slight) that the deleted files passed through the recycle bin since the expert says he can tell when they were deleted.
Yep.
That's what I was trying to point out.
With the given info the answer is "a suffusion of yellow".
FTK does reconstruct somethings but thats just semantics and without an expert to explain such things, FTK is like all tools, pretty useless.
Exactly.
The fact that the "expert" presumably said that "FTK can reconstruct the entire history of a deleted file" makes me think exactly the opposite you assumed that he may NOT be such an expert (or that OP misunderstood the claim).
'Evidence' takes many forms and sometimes the evidence is found in the form of an anomaly; in such cases it becomes the responsibility of the expert to explain such anomalies.
The weight of evidence in a case like this may be light, but the facts may be inconvertable if given a fair hearing.
Sure D , and again, something that may be accepted as evidence enough to judge someone guilty of deleting an illegal file (say some warez downloaded illegally), together with a number of more clues of the same behaviour, may be not accepted in a criminal court to confirm (or to debunk) an alibi of a suspected murderer.
I find that "snippets" out of context often lead to wrong answers (and often to wrong questions wink ).
jaclaz
Ok, so you know when a file has been deleted folder I see INFO2. When I delete a file and then empty the trash can from the date of cancellation using this technique INFO2 folder. I understand you correctly?
I think that the following is true however I have not verified this post and am only working from my recollection of some training I had a few years ago! So please take this info as 'needing verification'.
I believe the INFO2 file keeps a record of what files are in the recycle bin, where they came from and when they were added to the recycle bin. This information is used to restore the files to their original location if the user wishes to do so.
If the recycle bin is emptied, I believe the INFO2 file is deleted (its sectors are unallocated) and therefore will remain intact if not overwritten, this INFO2 file can then be recovered by an expert and a record of recycle bin activity can be identified.
If new files are added to the recycle bin, a brand new INFO2 file is created and the cycle continues.
I am not 100% sure what happens to an INFO2 record for a file if selected deletions are performed on the recycle bin but I am sure other members will be able to answer that question.
May I ask why have you asked these questions?
Is it study related or a more serious matter?