What happens to a file after it is moved?
I have a customer who MOVED her primary Quickbooks data file (x.QBW) file from her HDD to a Flash Drive. She thought she had just copied it, but instead she moved it. Then she took her flash drive home and attempted to transfer the .QBW over the Internet. She did not know what she was doing and that did not work for her. She then accidentally deleted the .QBW file from her flash drive, thinking that the original was still on her HDD. But Nooooo!
I am using EnCASE in an effort to recover the .QBW file. While I am not yet certified, I have passed the written EnCE certification and I am now waiting for the practical to arrive via UPS. My questions are:
1. What does Windows do when it moves a file? Does it change the file marker to hex e5, just like a deleted file? Or, does it simply remove the allocation marker all together and make the area available for over write? Or, what?
2. What would be the best way to attack this with EnCASE? I have her HDD and her flash drive in my lab so access is not a problem.
3. I THINK the old .QBW file will be found in the Unallocated Clusters on the HDD, but I am not sure. Is it better to attack the HDD first, or the flash drive?
Thank you very much.
I am using EnCASE in an effort to recover the .QBW file. While I am not yet certified, I have passed the written EnCE certification and I am now waiting for the practical to arrive via UPS. My questions are:
1. What does Windows do when it moves a file? Does it change the file marker to hex e5, just like a deleted file? Or, does it simply remove the allocation marker all together and make the area available for over write? Or, what?
2. What would be the best way to attack this with EnCASE? I have her HDD and her flash drive in my lab so access is not a problem.
3. I THINK the old .QBW file will be found in the Unallocated Clusters on the HDD, but I am not sure. Is it better to attack the HDD first, or the flash drive?
Thank you very much.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
A move is 2 processes. A Copy, followed by a Delete.
ASKER
Very good DanCh99! Thnak you for the insight.
ASKER
Got tired of messing about with EnCase and used Recuva to get the file in about 5 minutes. Now that I know how it works it does not seem like magic anymore, but, it is one hell of a time saver! Especially since it is Freeware. Still, anyone who uses it like I do should give a donation so I gave another one tonight. Worth it to me and WELL worth it to the customer.
ASKER