Corporate Security with EnCase Enterprise

Support

Brochures:

			Untitled Page > products and services > company > resources > support > message boards

Download Center

eSolutions

Support Articles

Support Videos

Customer Service

Home > Support Home > Articles > An Explanation of Deleted and Overwritten Files

An Explanation of Deleted and Overwritten Files

This document was written to explain how easily deleted/deleted overwritten files can be misinterpreted by examiners. It refers to FAT drives only, where files and their details are stored in directory entries. Usually when a file is deleted the directory entry remains and this is where Encase gets its information.

However, at some point a deleted files details will be overwritten within the directory entry and the files data will therefore become unallocated as far as Encase is concerned. However, what if there is another (older) directory entry pointing to the same starting cluster - this data will now not show as unallocated but as another file - the wrong file!

This may be a pretty rare occurrence but one that should be understood all the same.

NOTE: In reality it is unlikely that both files would be in the same directory entry, however I have shown it in this way below as a simplified explanation.

Directory Entry for the My Pictures directory (C:/My Documents/My Pictures)

Name	Created	Written	Accessed	Size	Cluster
.	04/01/01 15:06:54	04/01/01 15:06:56	04/01/01	0	42958
..	04/01/01 15:06:54	04/01/01 15:06:56	04/01/01	0	0
_ROJEC~2.JPG	11/03/01 06:01:18	11/03/01 06:01:12	20/07/01	XXXXXX	100

This shows that the file '_rojec~2.jpg' started (for example) in Cluster 100.

The file has been deleted (shown by the filename being preceded by the underscore) but as we know the file still sits on the disk and the directory entry is still readable.

Now another file titled 'hc32.jpg' is saved to the drive and the operating system detects that Cluster 100 can be overwritten. It therefore saves the new file to this space - hence a new directory entry is made (see below).

Directory Entry fo the My Pictures directory (C:/My Documents/My Pictures)

Name	Created	Written	Accessed	Size	Cluster
.	04/01/01 15:06:54	04/01/01 15:06:56	04/01/01	0	42958
..	04/01/01 15:06:54	04/01/01 15:06:56	04/01/01	0	0
_ROJEC~2.JPG	11/03/01 06:01:18	11/03/01 06:01:12	20/07/01	XXXXXX	100
HC32.JPG	11/03/01 06:01:18	11/03/01 06:01:12	11/01/02	XXXXXX	100

This also shows as starting in Cluster 100. Therefore Encase will now show the file '_ROJEC~2.jpg' with a X (deleted/overwritten) and on the bottom task bar will point to the file being overwritten by 'hc32.jpg'. When clicking on either file you will see the contents of 'hc32.jpg' because the data in the original file will be gone yet both directory entries still point to the same cluster.

Now lets say that the user also deletes the 'hc32.jpg' file. The details in the directory entry will stay the same except Encase will now place a Ø (deleted) next to it. As this file has not been overwritten the image will still be seen.

Now here is the tough part

Lets say during the time the user was browsing the internet he came across an indecent image which was cached passively to his Temporary Internet Files folder and was written to the part of the disk previously occupied by 'hc32.jpg' or Cluster 100. We would now have the following entry:

Directory Entry for the Temporary Internet Files directory

Name	Created	Written	Accessed	Size	Cluster
.	04/01/01 15:06:54	04/01/01 15:06:56	04/01/01	0	42958
..	04/01/01 15:06:54	04/01/01 15:06:56	04/01/01	0	0
indecent.JPG	xxxxxxxx xxxxxxxx	xxxxxxxx xxxxxxxx	xxxxxxxx	XXXXXX	100

If the computer remained in this state the examination would not be so tough because now Encase could show:

X	ROJEC~2.jpg	(overwritten by 'indecent.jpg' - pointing to Cluster 100 =indecent image)
X	hc32.jpg	(overwritten by 'indecent.jpg' - pointing to Cluster 100 =indecent image)
	Indecent.jpg	(pointing to Cluster 100 = indecent image)

However, as we know that the Temporary Internet Files folder only holds so many images. Lets say that as the user further browses the Internet the file 'indecent.jpg' is deleted. As the data still remains Encase would still show the indecent image for all of the above as they are all still pointing to Cluster 100 -

BUT

If the actual directory entry in the Temporary Internet Files is also deleted there is no longer any pointer to Cluster 100 or reference to 'indecent.jpg'.

Therefore the only directory entries now pointing to Cluster 100 are those for 'ROJEC~2.jpg' and 'hc32.jpg' yet the image that will be showing (the indecent image) has never had anything at all to do with these files.

In the case where the indecent image has come from the Temporary Internet Files folder and has never been actively saved by the user, the user may never have even known he has had such an image on his machine.