Announcement

Collapse
No announcement yet.

Deleted File Search (some questions)

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Deleted File Search (some questions)

    Hi there,

    I do have a couple of questions related to the functionality of the DFS feature for NTFS:

    • Do I have to mount the drive image NTFS partition to use DFS?
    • Does DFS only recover files marked as deleted in the MFT?
    • Does DFS recover (carve) files in unallocated sectors where the MFT entry is already overwritten?


    Why I am asking this questions? Currently I am working on a case where I know that there are deleted images on the partition, but DFS does not show them.

    best regards

  • #2
    Not the drive doesn't need to be mounted with a drive letter in order to search it.

    The default behavior is to do a quick scan of the MFT to look for deleted files.

    From the Config window (there is a "Config" button in the deleted file search window) you can pick other options. These options include,
    • A check box to do file carving. This will only carve in unallocated space, in the case of a NTFS partition. This makes it faster than doing the whole drive. If you select a physical drive without a partition, or a drive with an unknown file system, then the whole drive is scanned.
    • Verification that image files (JPG, PNG, etc..) are valid files before including them in the list of files found. This can reduce false positives.


    Needless to say scanning the whole disk for carving is much slower than just using the MFT option.

    Comment


    • #3
      Thanks David,

      you exactly pointed out the feature I was looking for. And would it be possible to get more information on the search results like Context, Sector, LCN and have a thumbnail view of the images.

      For better understanding of Search results in Raw Disk Viewer I need to answer some questions.

      • What does Objekt type "Free Space" mean?
      • What does File "System Volume Information\{0c1c...}{some hex-digits, maybe UIDs} mean? What kind of file is this?

      It would be also nice having a possibility to print or export a list of search results.

      best regards



      Originally posted by David (PassMark) View Post
      Not the drive doesn't need to be mounted with a drive letter in order to search it.

      The default behavior is to do a quick scan of the MFT to look for deleted files.

      From the Config window (there is a "Config" button in the deleted file search window) you can pick other options. These options include,
      • A check box to do file carving. This will only carve in unallocated space in the case of NTFS. This makes it faster than doing the whole drive.
      • Verification that image files (JPG, PNG, etc..) are valid files before including them in the list of files found. This can reduce false positives.


      Needless to say scanning the whole disk for carving is much slower than just using the MFT option.

      Comment


      • #4
        In the Raw Disk Viewer module in OSForensics you can search for a string or a regular expression across the whole drive. This is different from the Undeleted files functionality in that it looks at the entire drive, without regard to what sector are allocated to files or not and without regard to the file system.

        When you do a search in the Raw Disk Viewer the following information is displayed per search result found.

        Byte offset - the starting byte offset from the start of the dis (or partition)

        Context -
        the context (10 characters before and after) of where the pattern is found


        Encoding - o
        ne of Hex, ASCII, UTF8, or Unicode


        Sector -
        the starting logical sector


        Partition -
        the partition number on the selected drive


        LCN -
        the starting logical cluster number


        File -
        The file name of the file which the found pattern belongs to. Note that this information is not available for physical disks, but is available for volumes with supported files systems.


        Object Type
        - any particular property of the allocated space containing the found pattern. (Eg. File, directory, free space, slack space or system file). Free space means that the sector doesn't below to any file in the file system. A system file mean the string was found in one of the normally hidden NtFS system files (e.g. c:\$BOOT)


        The maximum length of matching strings is 256 characters.
        Double clicking on a result will highlight the matching bytes in theRaw Disk Viewer.

        For the part of you post concerning Deleted File Search, I agree, it would be good to display some additional detail above the carved files. Thumbs are a bit harder to do, as the functions we use to display image thumbnails expect a file (in the file system).

        Comment


        • #5
          I also have a question about the deleted files search window.. Here's some background:

          I'm running OSForensics version 1.1 Build 1002 on a Win 7 64bit laptop.. I've been pleasantly surprised but I'm running into an issue that I'm losing hair over.. I examined a mini-SD card that was removed from a BB phone.. Made a new case, imaged the card and added it.. I went into the 'Deleted Files Search' and adjusted the config settings to allow file carving, verification and EXT2 carving.. As a result, 656 files showed up in the search.

          Today, I switched gears and have doing some testing between OSForensics and a few other linux-based packages, using a different SD card.. So I ran this different SD card through OSForensics in the same manner as above... The results were the same.. like same images, same files, etc.. I thought that I'd possibly pointed the search to the original image, or may have even had the original mini-sd card in the slot.. no dice.. I'm pretty anal about cross-contaminating . But no dice.. I even deleted the other cases in OSForensics as well as the other images I had previously obtained.. The search still pulls up images from the ORIGINAL mini-sd/image file..

          Am I missing something? I've exited and restarted the program, re-imaged the test card, etc.. With the same results.

          Any help would be great..

          Justin

          Comment


          • #6
            The results of the deleted file search are not stored. So once you exit OSF the results are lost Except for what you selected to add to the case. And even if you did add them to a case, they don't reappear in the deleted file search window later on.

            The software also can't make up image data out of thin air.

            So there aren't too many possibilities to explain this.

            1) In the deleted file search window you have to pick which disk or device to search, from the drop down list. Maybe this drop down list really is pointing to the old drive image? Does this initial image still exist somewhere on the machine running OSF?

            2) Maybe in your first test you never really looked at the SD Card, but instead were looking at a different drive (e.g. your own C:\ drive) and not the SD Card at all? And on each subsequent run you are picking up the same files from your C:\ drive and not the image under investigation?

            3) Maybe some or all of the files on the different SD cards are in fact the same. And the fact that a few of the images are common lead you to believe the drives are in fact identical.

            4) There is some horrible bug that we aren't aware of. Note that V1.2 of OSF is now available and it has much better EXT2/3/4 support. So in V1.2 you can directly browse the EXT file system in V1.2. This shouldn't change the EXT carving behavior greatly however.

            Maybe if you can send us a screen shot of the results from the 2 different SDCard we might be able to explain it.

            Comment


            • #7
              Thanks for the response.. I figured the search data was not stored unless I took an action, such as exporting the files and/or adding to the case file. I should also preface that I have a few years experience in forensics (not totally a noob.. ) which is why this was baffling me and driving me nuts..

              I deleted the image files I had made and started over (image the drive, etc.).. When the time came to conduct the deleted files search I was sure to click on the filename of the listed image.. AND I even did a search on the SD card itself..

              What baffles me is that these two cards have nothing in common with each other.. One is mine (the second/test one) and the other is the card out of a Blackberry Torch, which I conducting the analysis on...

              As far as the files being similar, the gist of the files are JPGs which would've never been on the test card..

              Ooookkkk.... I'm going to remove everything and start over from scratch and I'll use 1.2.

              Thanks - I'll keep you updated on my results

              Justin

              Comment


              • #8
                Update - Ok, erased everything, installed the newest Beta version and did the same imaging and deleted files search as before.. Same files still show up on my test card.. I conducted the same analysis with two other cards and, of course, had different results.. So its apparent I somehow managed to contaminate my test card with the subject's BB memory card. I had the write protect active on the subjects card but screwed up and didn't have it on my test card.. This is all I can think of..

                Thanks for the assistance and for the program - Have definetly been impressed thus far.

                Justin

                Comment


                • #9
                  OK glad it was sorted out.
                  If you have any problems with the beta please let us know.

                  Comment

                  Working...
                  X