Need Help Basic Forensic Questions

[ForensicNewbie12]

I need help with some basic questions. Looking on the web I have gotten conflicting information. Thanks in advance for your help. A lot of questions from this newbie:

- Is Metadata definitively or generally lost when you completely delete a file?

- When I run Recuva I get MAC dates but they are all the same?

- Are filenames and paths lost when you completely delete a file?

- How are clusters allocated - first fit? Does this put all clusters in the beginning of disk thus allowing unallocated clusters to be overwritten?

- How do you find out when a file was deleted?

- There is no reliable Metadata from carved files. Correct?

Thanks again.

[binarybod]

The answer to most of these questions is completely file system specific and even then probably depends on the manner and in which the file was deleted and the application used to do so.

I would give different answers to these questions depending if the file system was HFS(+), Ext(2, 3 or 4), btrfs, FAT or NTFS to name but a few.

As for Recuva, I've never used it because there are better open source alternatives. I know what they are doing because I can read the code.

Paul

[ChrisParker]

Hi,

Please consider reading File System Forensics by Brian carrier. It'll answer a lot, if not most of your questions. When a file is deleted, metadata generally speaking is still present. Several factors come into play (level of system/user activity, number of new files introduced, size of the volume, cleaning tools used, etc).

Metadata can also persist in Link files (as an example). So even if the file is wiped, metadata structures are lost (MFT/dir files), you could still recover timestamps.

Also consider metadata within the file (in case you are carving).