±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 32784
New Yesterday: 0 Visitors: 115

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

RSS Feed Widget

±Latest Webinars

EnCase v7, FAT32, file 'Is Deleted' still in Allocated space

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

EnCase v7, FAT32, file 'Is Deleted' still in Allocated space

Post Posted: Tue Dec 27, 2016 1:59 am

From my understanding when a file is deleted from a FAT32 file system, the allocation blocks where the file was located will be set to unallocated.

When previewing a drive in EnCase v7, why are some objects 'Is Deleted' value True although the file is still located in allocated blocks? i.e. EnCase displays deleted objects in allocated blocks, but how does EnCase know the object has been deleted?

EnCase does not display objects in unallocated space and file carving is required to recover these objects.

Is this because the files are deleted to the Recycle Bin or other temporary space before the allocation blocks are marked as unallocated by the operating system?  

enforcer
Newbie
 
 
  

Re: EnCase v7, FAT32, file 'Is Deleted' still in Allocated s

Post Posted: Tue Jan 03, 2017 11:11 pm

whereismydata.wordpres...ed-part-2/

Above mentioned link has the answer.  

enforcer
Newbie
 
 
  

Re: EnCase v7, FAT32, file 'Is Deleted' still in Allocated s

Post Posted: Wed Feb 01, 2017 10:20 am

You can determine the deletion date for a NTFS filesystem from the USN Change Journal. There is no need to guess it based upon other circumstantial information.

Jim
www.binarymarkup.com  

JimC
Member
 
 
  

Re: EnCase v7, FAT32, file 'Is Deleted' still in Allocated s

Post Posted: Wed Feb 01, 2017 11:38 am

- JimC
You can determine the deletion date for a NTFS filesystem from the USN Change Journal. There is no need to guess it based upon other circumstantial information.

Jim
www.binarymarkup.com


Unfortunately there is a FAT32 filesystem, as shown in title and text of post, and therefore doesn't apply.  

minime2k9
Senior Member
 
 
  

Re: EnCase v7, FAT32, file 'Is Deleted' still in Allocated s

Post Posted: Wed Feb 01, 2017 1:25 pm

Good point! Sorry I lost that in the thread.

Jim
www.binarymarkup.com  

JimC
Member
 
 
  

Re: EnCase v7, FAT32, file 'Is Deleted' still in Allocated space

Post Posted: Fri Feb 03, 2017 7:07 am

- enforcer
From my understanding when a file is deleted from a FAT32 file system, the allocation blocks where the file was located will be set to unallocated.

When previewing a drive in EnCase v7, why are some objects 'Is Deleted' value True although the file is still located in allocated blocks? i.e. EnCase displays deleted objects in allocated blocks, but how does EnCase know the object has been deleted?

EnCase does not display objects in unallocated space and file carving is required to recover these objects.

Is this because the files are deleted to the Recycle Bin or other temporary space before the allocation blocks are marked as unallocated by the operating system?


When a file is deleted in FATx, the file pointer is marked as deleted by changing the first byte to 0xE5 and the corresponding cluster will be reset to 00 in the FAT table, in this sense, deleted file data is in the unallocated cluster.

However, when a new file is created, if it occupies the cluster which was originally used by previously deleted file. then the clusters are now occupied by the new file. The previously deleted file will look like it is deleted but sitting in the allocated, which is often called overwritten by the new file.

Simply check this up in the description column in encase.  

mansiu
Senior Member
 
 

Page 1 of 1