±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 2 Overall: 35886
New Yesterday: 2 Visitors: 178

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

$I metadata file missing from Recycle Bin

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

Samuel1
Senior Member
 

$I metadata file missing from Recycle Bin

Post Posted: Jun 25, 18 23:11

Do any of y'all know what it means when the $I metadata file is missing from the Recycle Bin? The data itself is still there, but not the metadata $I file.

Thanks everyone!  
 
  

mansiu
Senior Member
 

Re: $I metadata file missing from Recycle Bin

Post Posted: Jun 26, 18 05:48

What is the status of the $R file? is it allocated or deleted?  
 
  

mcman
Senior Member
 

Re: $I metadata file missing from Recycle Bin

Post Posted: Jun 26, 18 13:26

What tool(s) are you using to show this? I recall seeing it where the data was recovered by some tools but they would only display one of the files in the recycle bin. Can't remember which tool I saw it in but sounds familiar.

Check with another tool to see if it shows the same thing?

Jamie  
 
  

hommy0
Senior Member
 

Re: $I metadata file missing from Recycle Bin

Post Posted: Jun 26, 18 15:05

I have seen this most often when the recycle bin has been emptied. So that both the original file in the bin($R) and the information file ($I) have been marked as deleted and in normal usage of the file system the MFT record has become overwritten for the $I and hence the forensic tool cannot identify the $I and hence the tool cannot give back the original name for the $R.

I know EnCase will give back the original name if both $I and $R file are present in the recycle bin.

If the $I file is missing (using the example as above with the $I mft record being over written) I would use the $USNJRNL to try to identify the original name of the $R  
 

Page 1 of 1