Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Recover Data


  • Please log in to reply
4 replies to this topic

#1 EightPence

EightPence

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:47 AM

Posted 08 December 2012 - 02:26 PM

Hello,

I am running a Windows XP system and have a need to find the deletion date of some data on my HDD (NTFS journaled). The trick is I do not know what the data is, I do know the date. Windows seems to record the creation date, modification dates, but does not make a obvious record for deletion dates. What I want to find out is how to use my NTFS USN journal to tell me what HDD changes were made but I do not know how to read the hex data "fsinfo usn enumdata" spits out. Ideally I would export the whole thing into a file and look for info there but I do not know how to do that either and that would be a huge file. Nevertheless I will make a 250 MB file if I have to because it is vital I find this information.

Thanks in advance.

EightPence

BC AdBot (Login to Remove)

 


#2 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:47 PM

Posted 09 December 2012 - 03:41 PM

Hi -
Have you used Recuva or any similar tool yet ??

#3 EightPence

EightPence
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:47 AM

Posted 10 December 2012 - 11:34 AM

I have used Recuva, the wall I am running into is not getting the data back. It is a forensics piece, I am firstly concerned with when it was deleted. After I determine that I will be concerned with what was deleted.

Again, I need to find what, if anything, was deleted within a set time frame; nevertheless the priority is that time frame, not the what. I need to confirm that data actually was deleted, I am not as concerned with what it was at this time.

What I have done follows:

Using windows search I was able to confine modified files to use as time markers. With those in hand I ran "fsutil usn readdata" on said files to get USN brackets and the executed "fsutil usn enumdata 1 0x... 0x... c:" which gave a list of about 26 changes from the journal. I properly ordered the files by USN to determine change order. Using Recuva and Windows Search, I looked for the files and modification times to confirm the USN order. The files that I found had modification data that confirmed the USN order to be correct. All that said, I am unsure though if the journal records deletions or not, and if so, how.

#4 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:47 PM

Posted 10 December 2012 - 03:16 PM

Just 2 other ideas that may be of some help -

Finding Deleted History in Windows

Finding Deleted History on Internet Explorer
Every browser stores the information in the log files. The index.dat file is the name of the log file used by Internet Explorer. Search the index.dat file in the Windows files and folders search. The index.dat files are not text files. Therefore, a index.dat reader will have to be downloaded from the Internet to read the file. Once the software has been downloaded and installed on the system, you will be able to see the history, you are looking for.

Finding Deleted History on Firefox
Like Internal Explorer has index.dat files, Mozilla Firefox has history.dat files. Search for this file in the Windows files and folders. Then download the appropriate software to read the history.dat file. One of the commonly software used is 'X-Ways Trace 3.1'. Using this software, you will be able to read the file.

#5 EightPence

EightPence
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:47 AM

Posted 11 December 2012 - 06:03 PM

Interesting. I will take a look into these index.dat files. Do you have any other suggestions for regular windows files, like if some were deleted from My Computer?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users