Announcement

Collapse
No announcement yet.

Deleted File Search questions

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Deleted File Search questions

    Hi,

    I'm a newbie on the use of OSForensics and would like to understand the logic behind some things.
    I have a case which I need to search for some keywords, on allocated, unallocated space and deleted files.

    - First, as I need to search for deleted files in all 14 drives, with a total of 50 partitions, is there any option to search for deleted files in multiple partition or all of them at the same time?

    - The basic search, with the default options, searches only actual existing MFT entries?

    - How can I make a full unallocated deleted file search, so entire unallocated space is scanned for deleted MFT entries?

    - You have an option for “File Carving”, but that is searching for all disk space or only unallocated space? And it will carve only for file types (based on signatures or headers) or will do anything else?

    - Also, when creating an index for searching keywords, is it possible to select all partitions for searching instead of one by one?

    Thanks

  • #2
    First, as I need to search for deleted files in all 14 drives, with a total of 50 partitions, is there any option to search for deleted files in multiple partition or all of them at the same time?
    Not at this time. The deleted file search an only operate on a single disk/partition selection.

    The basic search, with the default options, searches only actual existing MFT entries?
    The basic search (in the deleted files module) will check the File Allocation Tables (MFT in NTFS and FAT in FAT file systems) for deleted entries and Recycling Bin items on NTFS. When a file is deleted from a volume, typically the contents is not removed and just File Table entry for the file is marked as deleted. More information can be found in the user guide/help file under "Features->Deleted Files Search->Deleted File Technical Details".

    You have an option for “File Carving”, but that is searching for all disk space or only unallocated space? And it will carve only for file types (based on signatures or headers) or will do anything else?
    When File Carving is enabled, the default is to carve only unallocated space. Under File Carving options, you can change this to scan the whole drive, however, this will also return files that still exists along with files in the unallocated space. File Carving works by matching a known header (e.g. FFD8FF for .jpg file). OSForensics will then either try to carve the rest of the file either by looking for a known footer (e.g. FFD9 for .jpg file) or for some known file formats, carving the contents from the file specification.

    when creating an index for searching keywords, is it possible to select all partitions for searching instead of one by one?
    Yes, when you create an index, you can add which drives or folders to include in the index. Then when you perform a keyword search on the index, it will return results from the locations included in the index.

    Comment


    • #3
      Just to add to this. For creating and searching indexes across multiple drives (or multiple disk images) there are two options.

      1) You make one huge index with the contents of all the disks in one index.
      2) You make a number of smaller indexes and then search them together in a single search. Given the number of disks, this might be a better option.

      Option 1:
      Indexing multiple disks. In the example below Drives C:\ and D:\ are going to be indexed. For C:\ we are also going to index the unallocated clusters.

      Index multiple drives

      Option 2:
      Searching multiple index files.
      In the example below we are searching two different index files in a single search.

      Searching multiple index files

      Comment


      • #4
        Hi,

        Thanks for the insights, I'm getting a clear view of the logic. There are still some questions in my mind.

        - How can I make a full unallocated deleted file search, so entire unallocated space is scanned for deleted MFT entries?

        - When I got the results of "Deleted File Search", how can I include those in the Index so they will be searched for the keywords as well?

        Thanks

        Comment


        • #5
          One other question.
          When you have in the Create Index options, "Stemming", and you have the Portuguese language, is it Portuguese from Portugal or Portuguese from Brazil?

          Thanks

          Comment


          • #6
            Some other questions that are coming to my mind while I'm preparing the case and reading the manual.

            - On Advanced Search Options, using the option "Enable accent/diacritic insensivity", means if I search for "noticia", will also find "notícia" right?

            - And also supports for the char Ç? Means if I search for "Funcao", will find also "Função" and "Funçao", right?

            - Also, is there options for searching expressions, like for example, I want to find "teste de camara", but it can be also "teste camara". Do I know to insert both in my keyword list or is there any option to be able to report the 2 words, even if they have something in between?

            Thanks

            Comment


            • #7
              How can I make a full unallocated deleted file search, so entire unallocated space is scanned for deleted MFT entries?
              Question doesn't make sense.
              The MFT table is a specific file in the file system (c:\$MFT )
              So if you only want to look for (deleted) entries in the MFT then you don't need to consider unallocated space at all. You can just use the delete file search module to see the list of file names in the MFT.

              So really there are three options, which one to use depends on what you are looking for and how much time you have.

              1) Scan MFT for deleted file names (this is fast).
              1a) Optionally you can export the list of files to a Temp folder as a text file and then add this temp folder to the indexing process if you want a list of file names indexed.
              1b) Optionally you can attempt to recover the deleted files (the contents of the files) to a Temp folder and then add this temp folder to the indexing process if you want a list of file names indexed. But many files will likely be corrupt, overwritten or wiped.

              2) Run file carving based on header signatures to find files that are no longer in MFT (this is slow). Optionally you can then attempt to recover the files. But in many cases the contents will have been overwritten or fragmented. With carving you don't get the file name, just the content.
              2a) Optionally you can attempt to recover the deleted files to a Temp folder and then add this temp folder to the indexing process.

              3) Do string extractions / word matching on the unallocated space. This can be done in several ways
              3a) String extraction can be done during the indexing process, by indexing unallocated space.
              3b) String matching can be done from the raw disk viewer. (Grep style)
              3c) String extraction can be done from the Internal file viewer on any file. (e.g. the hibernation file, or on a carved block off disk space)
              String extraction is great at finding plain text (e.g. in HTML, text files, scripts, XML & memory dumps). It is useless for searching in compressed or encrypted data. (Note that all Office documents are now compressed files).


              is it Portuguese from Portugal or Portuguese from Brazil
              Don't know. I suspect Portugal. Is there really much difference in singular and plural forms between Portugal & Brazil?


              Comment


              • #8
                Thanks for the replies, that are important to understand the logic and build my strategy.

                Originally posted by David (PassMark) View Post

                Don't know. I suspect Portugal. Is there really much difference in singular and plural forms between Portugal & Brazil?
                There are some differences, and of course I don't want to miss anything for the client.

                I think I just need to understand this topics.

                - On Advanced Search Options, using the option "Enable accent/diacritic insensivity", means if I search for "noticia", will also find "notícia" right?

                - And also supports for the char Ç? Means if I search for "Funcao", will find also "Função" and "Funçao", right?

                - Also, is there options for searching expressions, like for example, I want to find "teste de camara", but it can be also "teste camara". Do I know to insert both in my keyword list or is there any option to be able to report the 2 words, even if they have something in between?

                Thanks

                Comment


                • #9
                  On Advanced Search Options, using the option "Enable accent/diacritic insensivity", means if I search for "noticia", will also find "notícia" right?
                  Yes. From the help file:

                  This will map all occurrences of accented characters to their non-accented equivalent (eg. ó, ò, ô, etc. will all be treated as “o”). With this enabled, a user can enter the search word “cliché” and it will find all occurrences of the word on your website spelled as either “cliché” or “cliche".

                  is there options for searching expressions, like for example, I want to find "teste de camara", but it can be also "teste camara". Do I know to insert both in my keyword list or is there any option to be able to report the 2 words, even if they have something in between?
                  The search works on keywords, if you search for "teste camara", it will bring up results in documents that have both words (if All search words is selected in the Search Advance options) in the document irregardless of order. If you need to search for exact phrases, you can surround the words with quotations.

                  Comment


                  • #10
                    Thanks for the clarifications.

                    I've done the indexing on all my 14 drives.
                    Now I started with the searches based on my keyword list file.
                    I did just one indexed drive for testing.

                    So now I got my History populated with all the results for each keyword searched.
                    I can then export or display the search results for each keyword.

                    But my ultimate goal is to export a list of all keyword occurrences and in what file they occur.
                    Something like:
                    Hard drive 1 | Keyword1 | File1 | File Location | File info (like creation, modification, etc)
                    Hard drive 1 | Keyword1 | File2 | File Location | File info (like creation, modification, etc)
                    Hard drive 1 | Keyword1 | File3 | File Location | File info (like creation, modification, etc)
                    Hard drive 1 | Keyword2 | File4 | File Location | File info (like creation, modification, etc)
                    Hard drive 1 | Keyword2 | File4 | File Location | File info (like creation, modification, etc)

                    Can I extract something like this directly from OSForensics?

                    Basically the ultimate goal is to provide all information and files to the lawyers so they can analyze each file after.

                    Thanks

                    Comment

                    Working...
                    X