Terry Fernandez wrote:
> In the File Analysis component of Autopsy (v1.70), I can see the
deleted file and the size with the metadata information. When I try to
export it only 8KB is exported, while the file size shown is around
185MB. I am sure I am missing a step somewhere, Can you assist. The
image is a FAT32 partition and the file in question is a pst file.
>
> Terry Fernandez
>
> Tel: 312.260.3223
>
> Vnet: 894.3223
>
Terry-
Whoa, I've been here before. Here is the long and short of it.... You
most likely won't be able to recover the entire file.
As I'm sure you've seen with deleteted NTFS files, it's a rather simple
process to export the deleted file. However with deleted FAT32 files,
Autopsy does not perform a file re-assembly. A much more through
explanation could be provided by the group, however the simple truth is,
portions of your deleted file has most likely been reallocated to other
files on the disk.
Here's the basic problem, you've got a 185 meg file, that's roughly
378,880 (512 byte) sectors. Now, chances are that file has not been
written to the disk sequentially, it's rare to find 185 megs of free
space in nice simple sequential sectors. However, for our example, let's
say it is.
Now let's look at what you know, the starting sector and the size, right?
Let's say the starting sector is 654321 and you know you need to go
378,880 sectors. You can take this information to the Data Unit tab and
punch in the starting sector and number of sectors you need to go and it
will return to you the output, your file.
Now, quite honestly I don't expect this to give you the completely
accurate file. Why? Well there's a very good chance the file was not
written sequentially, second, the FAT File allocation Table doesn't
retain the any information as to where the rest of the file is.
There is a way to figure out how much of the file your are missing. Go
to the Metadata tab, you will be provided with a complete file
allocation table, you won't find your starting sector there as it is
deallocated, however you will see how many sectors within your possible
file start and end have been allocated to other files.
A good rule of thumb to consider when recovering deleted files from a
FAT parition, smaller is better.
Honestly, your best course of action may be keyword searches against the
drive, I can't remember, but pst files may contain some text based content.
Now, this is all based on reading, experience, and luck.
Someone on this list may have some better suggestions.
Good Luck!
Matt
mm...@ta...
|
