Announcement

Collapse
No announcement yet.

Deleted file search question

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • #1

    Deleted file search question

    Hello all,
    This may be an obvious question, but how do I perform a search of deleted files on a mounted image? The drop-down lists real physical drives and partitions, but not the virtual one mounted by OSMount. (I'm using WinXP SP3 if it's any help).

    The developers may also be interested in an interesting 'feature' that occurs when using OSForensic with McAfee. I was halfway through indexing an imaged disk when McAfee decided that the zoom_zip.out file being generated malware and should be deleted. OSF got slightly upset that access to the zoom_zip.out file in my case directory was denied and cancelled the indexing operation with an error message (good error handling BTW. I was pleased to see that it didn't crash when it couldn't write the file).
    Last edited by mcg78; Jul-19-2011, 04:05 PM. Reason: Correct punctuation
    Tags: None
  • #2
    The zoom_zip.out file is a temp file that is used to hold the content of uncompressed Zip files.

    So if your hard disk contains an Zip file which contains a file which contains malware then it might be normal that your AV triggers as the file is unzipped. You could probably look in the indexer log to work out which file it was in the Zip causing a problem.

    But as the files found in Zip files are never executed, (we just do a text extraction) then it is safe to turn off the AV for the during of the indexing, unless you are actually looking for malware on the target drive.

    Comment

    • #3
      Drives mounted with OSFMount should be in the list of drives for undelete. I assume you have the latest beta.

      We do most of our testing on Win7 now. But we'll test this on XP today.

      Comment

      • #4
        I tested searching mounted drives for deleted files on XP and confirmed it does work as intended. Two things to check for

        a) If you mounted the drive while OSF was open and on the deleted files tab you will need to browse to another tab and then back again to refresh the drives list.
        b) The mounted drive needs to be formatted with a supported file system (FAT32 / NTFS) otherwise it won't appear in the list.

        Comment

        • #5
          Thanks for the response. It must be something specific to my Windows installation. It's not working with the 4GB FAT32 or 46GB NTFS images that I'm testing it with. However, I've found that it will recognise the same images when mounted using IMDisk. I'll use that as a workaround for the moment and see if I can reinstall at some point.

          Comment

          • #6
            OK. If you should want to investigate further, can you let us know the exact version of OSFMount and OSF.

            Comment

            Previous template Next
            Working...
            X