No announcement yet.

Recovery of Deleted Files Prior To Index Creation?

  • Filter
  • Time
  • Show
Clear All
new posts

  • Recovery of Deleted Files Prior To Index Creation?

    In order for OSForensic's search index to include deleted files, is it best practice to first recover deleted files AND add then add the recovered deleted files to the database BEFORE generating the case index?

    I believe creating a search index before recovering deleted files will still result in indexing of deleted files assuming one chooses to "index files and unallocated space".

    Is my assumption correct?

  • #2
    Mostly correct.

    The indexing process normally only deals with files in the file system (not deleted files). But there is an option to also index unallocated space. If you index unallocated space, it doesn't attempt to do any carving. Instead it does a string extraction on the unallocated disk clusters. The strings found are put into the word index and associated with a disk sector (not a file) and can be searched for later on. Or you can feed the word index into the password cracking module.

    If you run undelete files and there are lots of good quality files AND they contain a good amount of text (too much to check by hand, one document at a time), then you might want to extract all these deleted files and then do a new indexing session on those files. If however you just recovered 100 JPG files then indexing them isn't going to add much value as generally there is much searchable text in a JPG file. Plus you can check 100 files by hand fairly quick.
    If you found 10,000 images and want to run OCR on then, then indexing them might make sense.

    Create index unallocated clusters