Yes, OSForensics looks in the master file table for deleted files.

Entries in the MFT can be overwritten rather quickly however, especially if the disk was a boot drive with a lot of activity going on.

By default OSF only returns entries that where it thinks there is a good chance of recovery. So the files of probably poor quality aren't listed. You can change this setting in the "Config" window and instead select all files.

There is also a second file detection method that can be used called "File carving".

Instead of finding files from the master file tables, file carving looks at the raw physical disk data for file headers and attempts to recover files in this manner. This requires reading all data on the disk and as such is much slower than the standard method. Also it can only find a limited number of file types with known headers. Currently supported file types are;
gif, png, bmp, tif, asf, wmv, wma, mov, mpg, mp4, swf, flv, ole, doc, xls, ppt, msi, mst, msp, gra, zip, docx, xlsx, pptx, htm, pdf, wav, mp3, rar, eml and rtf.

When selecting a physical drive the entire contents of that drive will be searched, which may return files that are not actually deleted if there are working partitions on that drive. When selecting a single partition only unallocated space on that partition will be searched.


There is also an option called, "Image Verification". This applies extra level of checking to carved image files (for example, .JPG & .PNG files) by trying to open the whole file with an image parser. Slows down the file carving process but provides better feedback on the file quality. If the image parser is successful in opening the image, the overall score is boosted by 25%. Similarly, if the image parser files to open the image, the overall score is decreased by 25%.

However if you are using the above two options are you are for some reason sure there are in fact other files on the disk that OSF should be picking up, then you should get back to us with the details.

Thank you David.

When OSF looks through the $MFT entries, why the values for Items Searched are not equal to the number of all entries in the $MFT. Which should be the case, if OSF parses through all $MFT entries looking for deleted Files. Right?

What do "Items found" and "Items Searched" mean (using Presets: All Files)?

1. Scenario: Using Deleted File Search without File Carving option
2. Scenario: Using DSF with File Carving Option

Thanks in advance and best regards

There are several filtering options in the deleted file search window.

There is,
- The filter string
- The quality setting (in the config window)
- Various other filters. Include folders, streams, file size limits, etc, (all in the config window)

If any filtering is applied then the Items Found count can be less than the Items Searched count.

Note that the items searched count doesn't represent the total number of items in the MFT. As we aren't counting valid files here. In other words we totally ignore files that are not deleted and are part of the NTFS file system (no need to undelete a file that isn't deleted).

thanks david for the quick response.

few more questions to clarify things. when i choose DFS for all files (no other filters applied) the values for items searched and items found should be equal, or? and in addition, the value corresponds to the total number of $MFT-file entries marked as deleted (directories (=folders) are not considered), right?

best regards

Some filters are on by default. So it is normal for the found count to be less than the searched count. If you turn off all the filter options in the config window then the found count should equal the searched count.

Folders are included in the count.

If you are using file carving then the number of files searched / found might bear no relationship to the MFT. If you aren't using file carving, then yes, the files searched should match the deleted entries in the MFT (if you are looking at a NTFS drive).

Thanks David.

Merry Christmas and a happy New Year to all of you.
And thank you very much again for all the support and help you and your team provided to me this year.

Best regards