EnCase v7, FAT32, f...
 
Notifications
Clear all

EnCase v7, FAT32, file 'Is Deleted' still in Allocated space

6 Posts
4 Users
0 Likes
1,137 Views
(@enforcer)
Posts: 2
New Member
Topic starter
 

From my understanding when a file is deleted from a FAT32 file system, the allocation blocks where the file was located will be set to unallocated.

When previewing a drive in EnCase v7, why are some objects 'Is Deleted' value True although the file is still located in allocated blocks? i.e. EnCase displays deleted objects in allocated blocks, but how does EnCase know the object has been deleted?

EnCase does not display objects in unallocated space and file carving is required to recover these objects.

Is this because the files are deleted to the Recycle Bin or other temporary space before the allocation blocks are marked as unallocated by the operating system?

 
Posted : 27/12/2016 6:59 am
(@enforcer)
Posts: 2
New Member
Topic starter
 

https://whereismydata.wordpress.com/2009/08/17/forensics-when-was-a-file-deleted-part-2/

Above mentioned link has the answer.

 
Posted : 04/01/2017 4:11 am
JimC
 JimC
(@jimc)
Posts: 86
Estimable Member
 

You can determine the deletion date for a NTFS filesystem from the USN Change Journal. There is no need to guess it based upon other circumstantial information.

Jim
www.binarymarkup.com

 
Posted : 01/02/2017 3:20 pm
minime2k9
(@minime2k9)
Posts: 481
Honorable Member
 

You can determine the deletion date for a NTFS filesystem from the USN Change Journal. There is no need to guess it based upon other circumstantial information.

Jim
www.binarymarkup.com

Unfortunately there is a FAT32 filesystem, as shown in title and text of post, and therefore doesn't apply.

 
Posted : 01/02/2017 4:38 pm
JimC
 JimC
(@jimc)
Posts: 86
Estimable Member
 

Good point! Sorry I lost that in the thread.

Jim
www.binarymarkup.com

 
Posted : 01/02/2017 6:25 pm
(@mansiu)
Posts: 83
Trusted Member
 

From my understanding when a file is deleted from a FAT32 file system, the allocation blocks where the file was located will be set to unallocated.

When previewing a drive in EnCase v7, why are some objects 'Is Deleted' value True although the file is still located in allocated blocks? i.e. EnCase displays deleted objects in allocated blocks, but how does EnCase know the object has been deleted?

EnCase does not display objects in unallocated space and file carving is required to recover these objects.

Is this because the files are deleted to the Recycle Bin or other temporary space before the allocation blocks are marked as unallocated by the operating system?

When a file is deleted in FATx, the file pointer is marked as deleted by changing the first byte to 0xE5 and the corresponding cluster will be reset to 00 in the FAT table, in this sense, deleted file data is in the unallocated cluster.

However, when a new file is created, if it occupies the cluster which was originally used by previously deleted file. then the clusters are now occupied by the new file. The previously deleted file will look like it is deleted but sitting in the allocated, which is often called overwritten by the new file.

Simply check this up in the description column in encase.

 
Posted : 03/02/2017 12:07 pm
Share: