encases deleted or deleted and overwritten files

Can anyone tell me in realy laymans terms what encases deleted files actually represent. Those with the red warning circle round. Where is it pulling these from, and how do they differ from files in unallocated space? Are these files from unallocated space - or something else? Its almost like they are "semi deleted" and files that are in "unallocated" are "fully deleted". Can you let me know as its of interest to me. How does a file come to be viewable via encases "deleted icon" in the table view, and how does a file come to be totally unseen until you carve it from unallocated space?
LVL 4
pma111Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

pma111Author Commented:
I was perhaps thinking along the lines files that are in unallocated were deleted a long time ago, yet fiels encase can still see and lists in the table view as deleted or deleted/overwritten are recently deleted files? Any truth in this?
0
SirtenKenCommented:
If you look at the record for the file within the Master File table, at offset 0x22, for a length of two bytes, there is a flag which tells you whether it is deleted.
hex 00 00 is deleted
hex 01 00 is allocated
There is also a $bitmap file which indicates to the system which clusters are in use.
When EnCase can see that a file is deleted and that the clusters are not in use, you'll see the deleted symbol. It will also add to the description that the file is overwritten when some or all of the clusters are marked as being in use.
Whether old or new files are overwritten depends on drive activity, since the master file table can grow, but never shrinks. If someone deleted 10,000 files and only adds a few hundred in the next month, then the other deleted entries may be recoverable for a long time. On the other hand, if very few files are deleted, then the master file tables can be overwritten quickly, in which case they aren't available for recovery.
Check out this excellent video for a visual explanation using EnCase:
http://whereismydata.wordpress.com/2009/05/02/forensics-what-happens-when-files-are-deleted/
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
pma111Author Commented:
ken, excuse my ignorance but is there a typo:

Whether old or new files are overwritten depends on drive activity, since the master file table can grow, but never shrinks. If someone deleted 10,000 files and only adds a few hundred in the next month, then the other deleted entries may be recoverable for a long time. On the other hand, if very few files are deleted, then the master file tables can be overwritten quickly, in which case they aren't available for recovery.

So the more files deleted in a period - the more chance of recovery.
The less files deleted in a period - the less chance of recovery.

Is that correct?

Logically Id have thought it would be the other way round but your the expert.
0
SirtenKenCommented:
NTFS is designed to re-use the directory entries that are available rather than creating new entries. When it does this, there is a marker in the entry which tells how many times the entry has been used. The rest of the entry will be overwritten and in most cases unrecoverable. If you delete a few files, the now-available entries will quickly be reused. If you delete many files, then some but not all will be re-used. The ones that aren't re-used are the most recoverable. Having more deleted files will lead to a better chance of recovering files, in general. This should make sense statistically as well, if you are just trying to recover deleted files, the more you delete, the better chance you'll be able to recover at least one of them.
Did you have a chance to check out the video? Was it helpful?
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Digital Forensics

From novice to tech pro — start learning today.