Posted 10 December 2012 - 11:34 AM
I have used Recuva, the wall I am running into is not getting the data back. It is a forensics piece, I am firstly concerned with when it was deleted. After I determine that I will be concerned with what was deleted.
Again, I need to find what, if anything, was deleted within a set time frame; nevertheless the priority is that time frame, not the what. I need to confirm that data actually was deleted, I am not as concerned with what it was at this time.
What I have done follows:
Using windows search I was able to confine modified files to use as time markers. With those in hand I ran "fsutil usn readdata" on said files to get USN brackets and the executed "fsutil usn enumdata 1 0x... 0x... c:" which gave a list of about 26 changes from the journal. I properly ordered the files by USN to determine change order. Using Recuva and Windows Search, I looked for the files and modification times to confirm the USN order. The files that I found had modification data that confirmed the USN order to be correct. All that said, I am unsure though if the journal records deletions or not, and if so, how.