The Sleuth Kit (TSK)
3.2.2/Autopsy 2.24
Test Results for Deleted File Recovery and Active File Listing Tool
July 2, 2014
This report was prepared for the Department of Homeland Security Science and Technology Directorate Cyber
Security Division by the Office of Law Enforcement Standards of the National Institute of Standards and Technology.
For additional information about the Cyber Security Division and ongoing projects, please visit www.cyber.st.dhs.gov
.
July 2014
Test Results for Deleted File Recovery and Active File Listing
Tool: The Sleuth Kit (TSK) 3.2.2/Autopsy 2.24
July 2014
ii
TSK 3.2.2/Autopsy 2.24
Contents
Introduction ......................................................................................................................... 1
How to Read This Report .................................................................................................... 1
1 Results Summary .......................................................................................................... 2
1.1 FAT ........................................................................................................................ 3
1.2 ExFat ...................................................................................................................... 3
1.3 NTFS ............................................................................................................................4
1.4 ext ........................................................................................................................... 4
1.5 HFS+ ...................................................................................................................... 5
2 Test Case Descriptions .................................................................................................. 5
3 Discussion of Test Results ............................................................................................ 6
3.1 How to read this section ......................................................................................... 7
3.2 File System Support ............................................................................................... 7
3.3 Scenarios where no files were overwritten ............................................................. 7
3.3.1 FAT ................................................................................................................. 7
3.3.2 ExFAT ............................................................................................................. 7
3.3.3 NTFS ....................................................................................................................7
3.3.4 Ext ................................................................................................................... 7
3.4 Scenarios with Deleted Directories ........................................................................ 8
3.4.1 FAT (Directories) ............................................................................................ 8
3.4.2 ExFAT (Directories) ....................................................................................... 8
3.4.3 NTFS (Directories) .......................................................................................... 8
3.4.4 EXT (Directories) ............................................................................................ 8
3.5 Scenarios with some files overwritten.................................................................... 8
3.5.1 FAT ................................................................................................................. 8
3.5.2 ExFAT ............................................................................................................. 9
3.5.3 NTFS ....................................................................................................................9
3.5.4 EXT ................................................................................................................. 9
3.6 Reported File Size for Recovered Files .................................................................. 9
3.7 Recovered MAC Times .......................................................................................... 9
3.7.1 FAT ................................................................................................................. 9
3.7.2 ExFAT ........................................................................................................... 10
3.7.3 NTFS ................................................................................................................. 10
3.7.4 Ext ................................................................................................................. 10
3.8 Non-Latin Character File Names ......................................................................... 10
3.9 Deletion Through Recycle Bin ............................................................................. 10
3.10 Special NTFS Situations .................................................................................... 11
3.11 Listing Special Objects (Links, Alternate Data Streams, etc.) ........................... 11
3.12 Recovering Special Objects (Links, Alternate Data Streams, etc.) .................... 11
3.12.1 FAT ............................................................................................................. 11
3.12.2 ExFAT ......................................................................................................... 11
3.12.3 NTFS ............................................................................................................... 11
3.12.4 Ext ............................................................................................................... 11
3.13 Mac File Systems HFS+ File Recovery ............................................................. 11
July 2014
ii
TSK 3.2.2/Autopsy 2.24
3.14 Listing Active Files ............................................................................................ 11
4 Test Result Details ...................................................................................................... 11
4.1 How to read this section ....................................................................................... 12
4.2 File System Support ............................................................................................. 15
4.3 Recovered Content (No Overwrites) .................................................................... 16
4.4 Scenarios with Deleted Directories ...................................................................... 19
4.5 Recovered Content (Overwrites) .......................................................................... 19
4.6 Reported File Size for Recovered Files ................................................................ 21
4.7 Recovered MAC Times ........................................................................................ 25
4.8 Non-Latin Character File Names ......................................................................... 26
4.9 Deletion Through Recycle Bin ............................................................................. 28
4.10 Special NTFS Situations .................................................................................... 30
4.11 Listing Special Objects (Links, Alternate Data Streams, etc.) ........................... 32
4.12 Recover Special Objects (Links, Alternate Data Streams, etc.) ......................... 35
4.13 Mac File Systems HFS+ File Recovery ............................................................. 40
4.14 Listing Active Files ............................................................................................ 40
Introduction
The Computer Forensics Tool Testing (CFTT) program is a joint project of the
Department of Homeland Security (DHS), the National Institute of Justice, and the
National Institute of Standards and Technology Law Enforcement Standards Office and
Information Technology Laboratory. CFTT is supported by other organizations,
including the Federal Bureau of Investigation, the U.S. Department of Defense Cyber
Crime Center, U.S. Internal Revenue Service Criminal Investigation Division Electronic
Crimes Program, and the U.S. Department of Homeland Security’s Bureau of
Immigration and Customs Enforcement, U.S. Customs and Border Protection and U.S.
Secret Service. The objective of the CFTT program is to provide measurable assurance to
practitioners, researchers, and other applicable users that the tools used in computer
forensics investigations provide accurate results. Accomplishing this requires the
development of specifications and test methods for computer forensics tools and
subsequent testing of specific tools against those specifications.
Test results provide the information necessary for developers to improve tools, users to
make informed choices, and the legal community and others to understand the tools
capabilities. The CFTT approach to testing computer forensics tools is based on well-
recognized methodologies for conformance and quality testing. The specifications and
test methods are posted on the CFTT Web site (http://www.cftt.nist.gov/) for review and
comment by the computer forensics community.
This document reports the results from testing The Sleuth Kit (TSK) Version 3.2.2 with
the Autopsy Version 2.24 interface against the Active File Identification & Deleted File
Recovery Tool Specification Version 1.1, available at the CFTT Web site
(http://www.cftt.nist.gov/DFR-req-1.1-pd-01.pdf
).
Test results from other tools can be found on the DHS S&T-sponsored digital forensics
Web page, http://www.cyberfetch.org/.
How to Read This Report
This report is divided into four sections. The first section is a high level summary of the
results from the test runs. The remaining sections of the report describe the test cases,
discuss any noteworthy tool behaviors encountered and provide documentation of test
case run details that support the discussion of tool behaviors. Section 2 gives a general
description of the test cases. Section 3 discusses test results by file system. Section 4
gives details of the test results for each test case. Please refer to the vendor
documentation for guidance on using the tool.
July 2014
Page 2 of 41
TSK 3.2.2/Autopsy 2.24
Test Results for Deleted File Recovery Tool
Tool Tested: The Sleuth Kit (TSK)/Autopsy
Software Version: Version 3.2.2/Version 2.24
Developer: Brian Carrier
WWW: http://www.sleuthkit.org/
1
Results Summary
The focus of this report is to characterize the observed behavior of the tested tool for the
recovery of deleted files based on residual file system metadata remaining after files are
deleted. The tool is applied to a set of image files constructed to present a variety of
common file deletion scenarios for widely used file systems. If a tool does not completely
recover a file this may stem from one or more causes. These factors may include the
following:
The data are no longer present in the image, e.g., overwritten.
Sufficient meta-data to locate the data is not present or reachable.
The algorithm implemented by the tool does not use the meta-data that locates the
missing data.
The implementation of the tool algorithm is incorrect.
In many cases, there is no one behavior that is correct. A tool designer may choose from
different algorithms that each have their own behaviors. The algorithm choices have trade
offs for each file layout scenario and file system meta-data characteristics. It may be that
no one algorithm is correct all the time. For example, in FAT file systems no meta-data is
present to locate more than the first block of the file. The algorithms used to recover files
from FAT file systems only recover the deleted file completely when certain conditions
prevail on the subject media. The conditions and algorithm success are determined by the
specific drive content and file system meta-data characteristics. The test images for each
test case are “dd” images of a hard drive from a cleanly shut down system. The tool must
operate within the confines of the operating systems and file systems. Because the file
systems tested require different algorithms for each file system and therefore produce
different results for each file system, results for each file system are discussed
individually.
Some general observations follow:
For the file systems tested, deleted files were recovered from FAT12, FAT16,
FAT32, NTFS and ext2 file systems. No files were recovered from exFAT, ext3,
ext4 or HSF+ file systems. However, some file names were recovered from ext3
and ext4 file systems.
July 2014
Page 3 of 41
TSK 3.2.2/Autopsy 2.24
File content was always recovered in whole clusters (a cluster is a power of 2
multiple of 512 bytes, e.g., 512, 1024, 2048, 4096, . . .).
The files recovered by the tool were composed of clusters from one or more
sources. All recovered content originated either in a previously deleted file, an
existing file or meta-data that had overwritten data from a deleted file (reported as
from an undetermined source).
The tool was able to list active files from the following tested file systems: FAT,
NTFS, ext2, ext3, ext4 and HFS+. For the ext4 file system, the tool sometimes
only listed files and directories in the root directory. The tool does not support the
exFAT file system.
Each file system type has different metadata structures. This leads to different tool
behaviors for each file system type. Observed file system specific tool behaviors include:
1.1 FAT
If no deleted files or metadata have been overwritten, then intact deleted
contiguous files were completely recovered. Intact fragmented files were
sometimes completely recovered and sometimes recovered with content from
multiple files and sometimes with content from active files.
If some deleted files and meta-data has been overwritten then most intact deleted
files were recovered. For files with intact meta-data but partial or complete
overwriting of the file data, a recovered file may have content from multiple files,
active files or meta-data from newer files (that has overwritten the deleted file).
Intact d
eleted files within deleted directories were recovered.
Names of the deleted files and directories were recovered from the meta-data for
both Latin character (e.g., az) and non-Latin character (e.g., ß, ç, ö, я, ю, ش
, 美国)
file names. For some files only the DOS 8.3 file name, e.g., _ALCOR.TXT for
XALCOR.TXT, is reported with an underscore, “_”, replacing the first character
of the file name. If metadata for the long file name is overwritten, then the file
system generated DOS 8.3 file name is reported e.g., _ETELG~1.TXT for
betelgeuse.txt.
Files deleted via the recycle bin were recovered along with recycle bin artifacts.
Reported size for the named recovered file matches the size of the original deleted
file.
Reported MAC times of the named recovered file matches the original deleted file
MAC times. Although the access times are not tracked by the FAT file system,
the tool reports 00:00:00 as the access time for each file.
Deleted shortcut .lnk files were recovered.
Active shortcut .lnk files were listed.
All active files and directories were listed.
1.2 ExFat
Recovery from ExFAT file systems is not supported by the tool.
July 2014
Page 4 of 41
TSK 3.2.2/Autopsy 2.24
1.3 NTFS
If no deleted files or metadata have been overwritten, then intact deleted files,
both contiguous and fragmented, were completely recovered.
If some deleted files and meta-data has been overwritten then most intact deleted
files were recovered. For files with intact meta-data but partial or complete
overwriting of the file data, a recovered file may have content from multiple files,
active files or meta-data from newer files (that has overwritten the deleted file).
Deleted files within deleted directories were recovered.
Intact deleted files contained within the MFT and files in compressed directories
were recovered.
Names of the deleted files were recovered from the meta-data for both Latin
character (e.g., az) and non-Latin character (e.g., ß, ç, ö, я, ю, ش, 美国) file
names.
Files deleted via the recycle bin were recovered along with recycle bin artifacts.
Reported size of the original deleted file matches the size of the named recovered
file.
Reported MAC times of the named recovered file matches the original deleted file
MAC times.
Deleted special objects were recovered including alternate data stream, shortcut
.lnk files and symbolic links.
Active special objects were listed including alternate data stream, shortcut .lnk
files and symbolic links.
All active files and directories were listed.
1.4 ext
Files were recovered only from the ext2 file system; no files were recovered from
either ext3 or ext4 file systems.
If no deleted files or metadata have been overwritten, then intact deleted files,
both contiguous and fragmented, were completely recovered.
If some deleted files and meta-data has been overwritten then most intact deleted
files were recovered. For files with intact meta-data but partial or complete
overwriting of the file data, a recovered file may have content from multiple files,
active files or meta-data from newer files (that has overwritten the deleted file).
Deleted files within deleted directories were recovered.
Names of deleted files were usually recovered for ext2, ext3 and ext4 file
systems. The file names were not associated with the recovered data. For the ext2
file system, two objects were returned: an empty file with the name of the deleted
file, e.g., Bellatrix.txt, and an object with a tool-generated name, e.g.,
OrphanFile-13, with the content of the deleted file. The names of deleted folders
were recovered, but some file names within the deleted folders were not
recovered.
Reported size of the original deleted file matches the size of the named recovered
file.
July 2014
Page 5 of 41
TSK 3.2.2/Autopsy 2.24
Reported MAC times of the recovered file matches the expected MAC times for
the deleted file.
Files deleted via the recycle bin were recovered along with recycle bin artifacts.
The names of deleted hard links and symbolic links were not recovered for the
ext2 file system. The ext3 and ext4 file systems were not tested for special objects
(e.g., symbolic links, hard links).
Active special objects were listed including hard links and symbolic links.
All active files and directories were listed for ext2 file systems. Not all files and
directories in ext3 and ext4 file systems were listed.
1.5 HFS+
No files were recovered, but active files were listed, including non-Latin file names.
A discussion of specific tool behavior is in Section 3, with test details presented in
Section 4.
2
Test Case Descriptions
The following is a list of the basic test cases and the test objective:
DFR-01. Recover one non-fragmented file.
DFR-02. Recover file with two fragments.
DFR-03. Recover file with multiple fragments.
DFR-04. Recover several non-fragmented files with non-Latin character file names.
DFR-05. Recover two fragmented files.
DFR-06. Recover one large file.
DFR-07. Recover one overwritten file.
DFR-08. Recover several overwritten files.
DFR-09. Recover large number of files, no overwriting.
DFR-10. Recover large number of files, with some overwriting.
DFR-11. Recover from one directory.
DFR-12. Recover from more than one directory.
DFR-13. Recover chaotic file system activity.
DFR-14. Recover other file system object.
DFR-15. List one of each file system object.
DFR-16. List a large number of files.
DFR-17. List deep file paths.
Each test case is repeated at least four times to characterize the tool's behavior for
different file system families. These include FAT, exFAT, NTFS and ext. The NTFS and
exFAT images contain a single partition. The FAT and ext images each contain three
partitions. Each partition has the same pattern of files created and deleted for a given test
case. The FAT and ext cases (three partitions) have three times as many files as the NTFS
and exFAT cases (one partition). The FAT images contain a FAT-12, a FAT-16 and a
July 2014
Page 6 of 41
TSK 3.2.2/Autopsy 2.24
FAT-32 partition. The FAT partitions were created on a Windows Vista system. Some
partitions marked as FAT-12 in the partition table, appear to have a FAT table that is
actually FAT-16 (this did not significantly affect test results). The NTFS images were
also created on a Microsoft Windows Vista system. The ext partitions were created on a
Fedora Linux system. The exFAT partition and HFS+ partitions were created on a Mac
running Snow Leopard, OSX Version 10.6.
The test images are available at: http://www.cfreds.nist.gov/dfr-test-images.html and the
layout of the test images is documented in:
http://www.cfreds.nist.gov/dfr-images/setup-july-10-2012.pdf.
Except for test case DFR-01, the size of all deleted files is a multiple of 512. The deleted
file in test case DFR-01 is 712 bytes.
Within this document, test cases are sometimes referred to as a scenario or a test scenario.
Also, a test case name sometimes includes the file system family name if a discussion
only applies to a particular file system family, e.g., if a discussion only applies to DFR-01
for the NTFS file system DFR-01 may be referred to as DFR-NTFS-01 (or just NTFS-01).
The two HFS+ test cases are referred to as DFR-OSX-01 and DFR-OSX-04.
Some of the test cases are repeated with some variation to introduce additional data block
layout scenarios. These include the following:
DFR-01-recycle Similar to DFR-01 with a change to how the file is deleted.
Instead of deleting the file directly, the file is moved to the recycle bin and then
the bin is emptied.
DFR-05-braidCreate two fragmented files such that the data blocks are
intertwined and then delete both files.
DFR-05-nestCreate two fragmented files such that the data blocks of one file
surround the data blocks of the other file and then delete both files.
DFR-07-one Create a deleted file partially overwritten by an active file.
DFR-07-twoStarting with the image of 07-one, delete the active file so that two
deleted files have claim to the same data.
DFR-NTFS-11-MFT Similar to DFR-11, but all files are kept to 512 bytes so
that the data is stored within the MFT. This scenario only applies to NTFS.
DFR-NTFS-11-Compress -- Similar to DFR-NTFS-11, but the file system has the
compress option turned on. This scenario only applies to NTFS.
DFR-OSX-01 & DFR-OSX-04 – There is no metadata left after a file is deleted
from an HFS+ file system so only one case (DFR-OSX-01) is needed to
demonstrate that no files are recovered and one case (DFR-OSX-04) is used to
demonstrate the ability to list (non-Latin character) file names.
3
Discussion of Test Results
Test data was prepared for all scenarios with the following file systems: FAT (FAT12,
FAT16 & FAT32), NTFS, exFAT and ext (ext2, ext3 & ext4). Test data for two scenarios
July 2014
Page 7 of 41
TSK 3.2.2/Autopsy 2.24
was prepared for HFS+ file systems using combinations of journaling and case sensitivity
(OSX, OSXC, OSXJ & OSXCJ).
This section discusses the following characteristics of the tool behavior for various file
deletion scenarios:
Recovered content
Reported file size
Reported MAC times
Recovered file names
File system unique objects
Listing active files
3.1 How to read this section
The subsections that follow present the tool behaviors that were observed in testing by
file deletion scenario. For more details on the results presented in each subsection see the
corresponding subsection in Section 4.
3.2 File System Support
No files were recovered from ExFAT, ext3, ext4 or HFS+ file systems. ExFAT is
supported in later (not tested for this report) versions.
3.3 Scenarios where no files were overwritten
For nine test cases that have no files overwritten, the following observations were made:
3.3.1
FAT
Of the 819 intact deleted files with metadata, 807 were fully recovered. Of the 12
files not completely recovered, all contained data from multiple files and three
contained data from active files.
3.3.2
ExFAT
ExFAT file systems are not supported.
3.3.3
NTFS
Of the 273 intact deleted files all were fully recovered.
3.3.4
Ext
All 273 intact deleted files were fully recovered from the ext2 file system. For the
ext2, ext3 and ext4 file systems, most, but not all file names were recovered. For the
ext2 file system, two objects were returned: an empty file with the name of the
deleted file, e.g., Bellatrix.txt, and an object with a tool-generated name, e.g.,
July 2014
Page 8 of 41
TSK 3.2.2/Autopsy 2.24
OrphanFile-13, with the content of the deleted file. No files were recovered from the
ext3 or ext4 file systems.
3.4 Scenarios with Deleted Directories
Two scenarios, case 11 and case 12, investigate recovery of deleted files within deleted
directories along with recovery of the file names and the directory names. The first
scenario, case 11, is constructed with nothing overwritten; the second scenario, case 12,
is constructed with some files and directory metadata overwritten.
3.4.1
FAT (Directories)
For case FAT-11, all deleted files were recovered and all deleted directories were
identified. For case FAT-12, of 27 intact deleted files, 9 files were fully recovered.
Additionally 18 files were partially recovered containing blocks from two or more
files, with three files containing content of undetermined origin. Of the 9 deleted
directories, 6 were identified.
3.4.2
ExFAT (Directories)
ExFAT file systems are not supported.
3.4.3
NTFS (Directories)
For case NTFS-11, all deleted files were completely recovered and the deleted
directory was identified. For case NTFS-12, 9 of 9 intact deleted files were
completely recovered. 2 of 3 deleted directories were identified.
3.4.4
EXT (Directories)
No files were recovered from the ext3 or ext4 partitions. All deleted files were
recovered from the ext2 partition for case EXT-11. No file names were recovered, but
the names of the three deleted directories were identified, one from the ext2 file
system, one from the ext3 file system, and one from the ext4 file system. For case
EXT-12, 9 of 9 intact files were fully recovered from the ext2 file system. Eight of
nine deleted directories were identified, three from the ext2 file system, three from
the ext3 file system, and two from the ext4 file system. The names of the three most
recently deleted files were recovered from the ext2 and ext3 file systems.
3.5 Scenarios with some files overwritten
For seven test cases that have some overwritten files, the following observations were
made:
3.5.1
FAT
2,894 files were deleted, 1,118 files were intact with metadata, 102 files were
overwritten with metadata left behind after file deletion.
July 2014
Page 9 of 41
TSK 3.2.2/Autopsy 2.24
Of 1,221 recovered files, 885 files were accurately recovered. Of the 336
remaining files recovered, 269 had content from multiple files, 40 had content
from active files, and 3 had content from an undetermined source.
3.5.2
ExFAT
The ExFAT file system is not supported by the tool.
3.5.3
NTFS
965 files were deleted, 371 files were intact with metadata, 563 files were
overwritten with metadata left behind.
Of 406 recovered files, 374 files were accurately recovered. Of the 32 other
recovered objects, 24 contained data from more than one file, 24 contained data
from active files, and 2 contained data from an undermined source.
3.5.4
EXT
2,869 files were deleted, 1,225 files were intact with metadata, 990 files were
overwritten with metadata left behind. The files were deleted from 7 image files.
Each contained an ext2, an ext3 and an ext4 partition.
Of 583 recovered files, 372 files were accurately recovered. Of the 211 remaining
files recovered, 29 had content from multiple files, 162 had content from active
files, and 56 had content from an undetermined source. For the ext2, ext3 and
ext4 file systems, most, but not all file names were recovered. For the ext2 file
system, two objects were returned: an empty file with the name of the deleted file,
e.g., Bellatrix.txt, and an object with a tool-generated name, e.g., OrphanFile-13,
with the content of the deleted file. No files were recovered from the ext3 or ext4
partitions.
3.6 Reported File Size for Recovered Files
For file systems FAT and NTFS, if a file name was recovered, the tool reports the
original file size corresponding to the recovered file name. For ext2 file systems a file
size is reported even though a file name might not be recovered. The reported file size
matches the size of the original file (the original file is identified by the recovered file
content). Nothing was recovered for ext3 or ext4 file systems. It should be noted that for
overwritten files the reported file size might be misleading in that the recovered content
may be from a different file.
3.7 Recovered MAC Times
This section discusses the observed MAC time characteristics displayed for test case
DFR-01. The reader is reminded that the operating system replaces the ctime meta-data
with the time of file deletion for ext file systems.
3.7.1
FAT
The access times and modify/last written times were correct. Note: the
automatically generated expected values in the CFTT layout document are off by
July 2014
Page 10 of 41
TSK 3.2.2/Autopsy 2.24
one hour. The times match if adjusted from Coordinated Universal Time (UTC) to
Eastern Daylight Time (EDT). This is a known problem in some Linux versions
where an inappropriate Daylight Saving Time (DST) adjustment is applied. This
is an issue with the test data, not with the tested tool.
Although the last access time is not tracked (only the last access date is tracked)
by the FAT file system, the tool reports 00:00:00 as the access time for each file.
For one recovered file, XBEID.TXT, from the FAT12 file system the minutes and
seconds value of the ctime value was reported as 02:23 rather than the expected
value of 02:24.
3.7.2
ExFAT
The tool does not support the ExFAT file system.
3.7.3
NTFS
All times matched the expected values. All times were reported in UTC.
3.7.4
Ext
File names were recovered for ext2, ext3 and ext4 file systems, but the file names are not
associated with the recovered data. No data was recovered for ext3 or ext4 file systems.
For the ext2 file system, two objects were returned: an empty file with the name of the
deleted file (Bellatrix.txt) and an object named OrphanFile-13 with the content of the
deleted file (Bellatrix.txt). The file Bellatrix.txt was reported to have all three MAC times
of 0000-00-00 00:00:00 and the file OrphanFile-13 with the expected MAC times for the
deleted file (Bellatrix.txt). The ctime value was the time Bellatrix.txt was deleted (the
expected result). The ctimes and access times matched expected values (the ctime value
reports the time of file deletion). The file deletion time is reported in the modify time field.
All times were reported in UTC.
3.8 Non-Latin Character File Names
Non-Latin character file names for recovered files were displayed correctly for FAT, and
NTFS file systems. File names were recovered and displayed correctly for all of the ext
file systems.
3.9 Deletion Through Recycle Bin
Files deleted via empting the recycle bin (or trash on some file systems) were recovered
for FAT, NTFS and ext2 file systems along with recycle bin artifacts. The file name was
not recovered for the deleted file from the NTFS file system. File names were recovered
for ext2, ext3 and ext4 file systems. No file content was recovered for either the ext3 or
ext4 file systems. For the ext2 file system two objects were recovered in addition to
recycle bin artifacts: an empty file (Bellatrix.txt) with the name of the deleted file and the
file (OrphanFile-13) with the content of the deleted file. Recovery of files from exFAT
file systems was not tested.
July 2014
Page 11 of 41
TSK 3.2.2/Autopsy 2.24
3.10 Special NTFS Situations
Files were recovered from both a compressed NTFS file system and from within the
Master File Table (MFT).
3.11 Listing Special Objects (Links, Alternate Data Streams, etc.)
The tool was able to list all (with one exception) file system special objects for FAT,
NTFS, ext2, ext3, and ext4 file systems. One file in an ext4 file system subdirectory was
not listed.
3.12 Recovering Special Objects (Links, Alternate Data Streams,
etc.)
The tool was able to recover some file system specific objects:
3.12.1
FAT
Deleted files and shortcut .lnk files were recovered.
3.12.2
ExFAT
The tool does not support the ExFAT file system.
3.12.3
NTFS
Alternate data streams, shortcut .lnk files and symbolic links were recovered from NTFS
file systems.
3.12.4
Ext
Deleted files were recovered from ext2 file systems. The names of hard links and
symbolic links were not recovered. The ext3 and ext4 file systems were not tested.
3.13 Mac File Systems HFS+ File Recovery
No files were recovered from HFS+ file systems. OS X removes all file metadata when a
file is deleted, although some journal metadata may remain for journaling file systems
(OSXJ and OSXCJ).
3.14 Listing Active Files
The tool was able to list all files and directories for ext2, ext3, FAT, NTFS, and HFS+
file systems. For ext4 file systems the tool sometimes listed only files and directories in
the root directory. The tool does not support the ExFAT file system.
4
Test Result Details
The test results are presented in a series of tables. Most of the tables either give a
summary of the deleted files and metadata created for each test case or a summary of
July 2014
Page 12 of 41
TSK 3.2.2/Autopsy 2.24
what the tool recovered. For some test cases, additional tables are provided to give details
about individual files deleted and recovered within a test case.
4.1 How to read this section
This section provides the details for the discussions in Section 3 of this report. The data
discussed in subsections of Section 3 are in the corresponding subsections of this section
(Section 4). The remainder of this subsection explains the tables that summarize the test
results. The data presented in this subsection are examples only. The actual results are
presented in the other subsections.
The two most important tables are the “Available Metadata and File Block Summary
and “Recovered File Analysis Summary.” The metadata table describes the state of the
deleted files and residual meta-data and identifies the limits for what can be recovered.
The analysis table describes how accurately the tool actually recovered known content.
The main summary tables and the information contained within are as follows:
Case
Deleted
Intact/Meta
Partial/Meta
None/meta
Intact/None
Partial/None
None/None
ntfs-07
5
1
0
2
0
0
2
The Available Metadata and File Block Summary gives a one row summary of the file
blocks and meta-data available for recovery for a test case.
Case: The test case identifier.
Deleted: The number of files created and then deleted.
Intact/Meta: The number of files with no blocks overwritten and metadata
available. All these files should be recoverable.
Partial/Meta: The number of files with some, but not all, blocks overwritten and
metadata available. However, only independently allocated blocks are counted.
None/Meta: The number of files with all blocks overwritten, but metadata
available. For NTFS file systems, data blocks from small files might be contained
within the MFT and are incorrectly counted here.
Intact/None: The number of files with no blocks overwritten and metadata
overwritten.
Partial/None: The number of files with some, but not all, blocks overwritten and
metadata overwritten.
None/None: The number of files with all blocks and metadata overwritten.
The table above indicates five files deleted, but only one file intact with metadata. Two
files are completely overwritten, but have some metadata available. These files could still
actually be within the MFT and hence recoverable.
Recovered File Analysis Summary
Case
Del
Rec
SS
First
Full
Match
Sigma
Multi
Other
Active
Seq
Over
Ovf
ntfs-07
5
3
2
3
1
2
0
0
0
0
0
4
1
July 2014
Page 13 of 41
TSK 3.2.2/Autopsy 2.24
The Recovered File Analysis Summary gives a one-row summary of the files recovered
for a test case.
Case: The test case identifier.
Del: The number of deleted files. The notation k/j means k files created in j
directories.
Rec: The number of files recovered by the tool. This should be at least as many as
the Intact/Meta value from the table above.
SS: The number of deleted files that contributed blocks to the recovered files.
This will be discussed below when we have more data from the example.
First: The number of recovered files that contain the first block of the deleted file.
Full: The number of recovered files that are complete and accurate with no extra
blocks.
Match: The number of recovered files with a correctly matching name.
Sigma: The number of recovered files with a recovered name that matches except
for the first character. This is an artifact of some deleted files on FAT file systems
where the Greek ISO representation of the letter sigma (σ) replaces the first
character of the file name to indicate a deleted file.
Multi: The number of files with blocks from two or more deleted files. In other
words, files with blocks of data from different files recovered together into one
recovered file.
Other: The number of files recovered with unrecognized data blocks. This is
usually the case when a file is partially overwritten with file system metadata.
Active: The number of recovered files that include data blocks from active (not
deleted) files.
Seq: The number of recovered files with data blocks out of sequence.
Over: The number of files that are overwritten in the test case.
Ovf: The number of files that the tool reports as overwritten.
The next three tables are an analysis within a single test case of each file deleted and each
file recovered by the tool under test. These tables are only provided for a few test cases
because of the amount of data that would be generated if these tables were provided for
each test case.
Deleted File Details
Case
File
Size
Bytes
Residue
Meta
ntfs-07
Bunda.txt
8
4096
0
none
Castor.txt
8
4096
0
none
Duhr.TXT
8
4096
0
meta
Furud.txt
15
7680
15
meta
Grumium.txt
1
512
0
meta
Each row of the Deleted File Details table describes each deleted file.
Case: The test case identifier. The field is left blank after the first file for the
remaining files of the test case.
File: The name of the deleted file.
Size: The number of 512 byte blocks allocated to the file.
July 2014
Page 14 of 41
TSK 3.2.2/Autopsy 2.24
Bytes: The number of bytes allocated to the file.
Residue: The number of data blocks not overwritten, i.e., the number of data
blocks available for recovery.
Meta: Either none or meta indicating the absence or presence of file metadata.
Recovered File Content Analysis
Case
Content
Name
Size
First
Blocks
Tail
Src
Shift
Seq
Other
dfr-ntfs-07
Grumium.txt
Grumium.txt
512
1
0
0
1
0
0
0
Furud.txt
Duhr.TXT
4,096
1
7
0
1
0
0
0
Furud.txt
Furud.txt
7,680
1
14
0
1
0
0
0
Each row of the Recovered File Content Analysis table describes each recovered file.
Case: The test case identifier. The field is left blank after the first file for the
remaining files of the test case.
Content: The file name of the file that was the source of the first recovered data
block of the recovered object.
Name: The name assigned to the recovered object by the tool under test.
Size: The value reported by the tool under test as the size of the original deleted
file.
First: The number of initial file blocks included in the recovered object.
Blocks: The number of non-initial blocks included in the recovered object.
Tail: The number of partial sector blocks included in the recovered object.
Src: The number of files contributing to the recovered file.
Shift: The number of times there is a shift to a new data source (i.e., the number
of files in addition to the first that contributed data to the recovered object).
Seq: The number of times a there is a break in the sequence of blocks within the
recovered object.
Other: The number of unidentified blocks included in the recovered object.
Some observations about this example follow:
Grumium.txt is recovered from the NTFS MFT since the file is small and
contained within the MFT there are no independently allocated file blocks to be
reported in the Available Metadata and File Block Summary table.
Duhr.TXT was completely overwritten by Furud.txt and so the recovered object
named Duhr.TXT actually contains content from the overwriting file.
Also note that even though three files were recovered, only two of the deleted
files contributed data blocks to the recovered objects. Hence the value two in the
SS column in the Available Metadata and File Block Summary table.
Recovered File Content Block Details
Case
Name
Recovered Content
dfr-ntfs-07
Duhr.TXT
Furud.txt(8 of 15)
Furud.txt
Furud.txt(15 of 15)
Grumium.txt
Grumium.txt(1 of 0)
Each row of the Recovered File Content Block Details table describes the source of
recovered file content.
July 2014
Page 15 of 41
TSK 3.2.2/Autopsy 2.24
Case: The test case identifier. The field is left blank after the first file for the
remaining files of the test case.
Name: The name of the recovered object.
Recovered Content: A list of data sources included in the recovered object. Each
entry is accompanied with the number of blocks included in the recovered object
and the size of the source object. The recovered object Duhr.TXT is composed of
eight blocks from Furud.txt, a file fifteen blocks in size.
Deleted File MAC Times
Case
File
Modify
Access
Create
ntfs-07
Bunda.txt
11/06/11 15:09:59 -0500
11/06/11 15:12:56 -0500
11/06/11 15:09:59 -0500
Castor.txt
11/06/11 15:09:59 -0500
11/06/11 15:12:56 -0500
11/06/11 15:09:59 -0500
Duhr.TXT
11/06/11 15:09:59 -0500
11/06/11 15:12:56 -0500
11/06/11 15:09:59 -0500
Furud.txt
11/06/11 15:36:36 -0500
11/06/11 15:36:36 -0500
11/06/11 15:36:36 -0500
Grumium.txt
11/06/11 15:36:36 -0500
11/06/11 15:36:36 -0500
11/06/11 15:36:36 -0500
Each row of the Deleted File Mac Times table above reports the MAC times in
MM/DD/YY HH:MM:SS format for each deleted file.
Case: The test case identifier. The field is left blank after the first file for the
remaining files of the test case.
Name: The name of the deleted file.
Modify/Access/Create: The MAC times just before the file is deleted.
Recovered File MAC Times
Case
File
Modify
Access
Create
dfr-ntfs-07
Grumium.txt
11/06/11 03:36:36PM
11/06/11 03:36:36PM
11/06/11 03:36:36PM
Duhr.TXT
11/06/11 03:09:59PM
11/06/11 03:12:56PM
11/06/11 03:09:59PM
Furud.txt
11/06/11 03:36:36PM
11/06/11 03:36:36PM
11/06/11 03:36:36PM
Each row of the Recovered File Mac Times table reports the MAC times in
MM/DD/YY HH:MM:SS format for each recovered file.
Case: The test case identifier. The field is left blank after the first file for the
remaining files of the test case.
Name: The name of the deleted file.
Modify/Access/Create: The MAC times reported by the tool under test.
4.2 File System Support
The following table identifies the file deleted for each partition type.
Case XXX-01 Deleted Files
Partition
Deleted File
EXT2
Bellatrix.txt
EXT3
Bunda.txt
EXT4
Botein.txt
FAT12
XBEID.TXT
FAT16
Betelgeuse.txt
FAT32
Bellatrix.txt
NTFS
Bunda.txt
July 2014
Page 16 of 41
TSK 3.2.2/Autopsy 2.24
Case XXX-01 Deleted Files
Partition
Deleted File
OSXJ
Bellatrix.TXT
OSX
Betelgeuse.txt
OSXCJ
Beid.txt
OSXC
xBellatrix.txt
exFAT
Betelgeuse.txt
Each row of the Recovered File Content Block Details table below describes the source
of recovered file content.
Case: The test case identifier. The field is left blank after the first file for the
remaining files of the test case.
Name: The name of the recovered object.
Recovered Content: A list of data sources included in the recovered object. Each
entry is accompanied with the number of blocks included in the recovered object
and the size of the source object.
Recovered File Content Block Details
Case
Name
Recovered Content
dfr-ext-01
OrphanFile-13
Bellatrix.txt(1 of 1)
dfr-fat-01
Bellatrix.txt
Bellatrix.txt(1 of 1)
Betelgeuse.txt
Betelgeuse.txt(1 of 1)
_BEID.TXT
XBEID.TXT(1 of 1)
dfr-ntfs-01
Bunda.txt
Bunda.txt(8 of 8)
dfr-ntfs-01
Bunda.txt
Bunda.txt(8 of 8)
4.3 Recovered Content (No Overwrites)
This subsection summarizes results for cases with no overwritten files.
The Available Metadata and File Block Summary gives a one row summary of the file
blocks and meta-data available for recovery for a testcase.
Case: The test case identifier.
Deleted: The number of files created and then deleted.
Intact/Meta: The number of files with no blocks overwritten and metadata
available. All these files should be recoverable.
Partial/Meta: The number of files with some, but not all, blocks overwritten and
metadata available. However, only independently allocated blocks are counted.
None/Meta: The number of files with all blocks overwritten, but metadata
available. For NTFS file systems, blocks from small files may be contained within
the MFT and not counted here.
Intact/None: The number of files with no blocks overwritten and metadata
overwritten.
Partial/None: The number of files with some, but not all, blocks overwritten and
metadata overwritten.
None/None: The number of files with all blocks and metadata overwritten.
Available Metadata and File Block Summary
July 2014
Page 17 of 41
TSK 3.2.2/Autopsy 2.24
Case
Deleted
Intact/Meta
Partial/Meta
None/meta
Intact/None
Partial/None
None/None
fat-01
3
3
0
0
0
0
0
fat-02
3
3
0
0
0
0
0
fat-03
3
3
0
0
0
0
0
fat-05
6
6
0
0
0
0
0
fat-05-braid
6
6
0
0
0
0
0
fat-05-nest
6
6
0
0
0
0
0
fat-06
3
3
0
0
0
0
0
fat-09
780
780
0
0
0
0
0
fat-11
9
9
0
0
0
0
0
xfat-01
1
1
0
0
0
0
0
xfat-02
1
1
0
0
0
0
0
xfat-03
1
1
0
0
0
0
0
xfat-05
2
2
0
0
0
0
0
xfat-05-braid
2
2
0
0
0
0
0
xfat-05-nest
2
2
0
0
0
0
0
xfat-06
1
1
0
0
0
0
0
xfat-09
260
260
0
0
0
0
0
xfat-11
3
3
0
0
0
0
0
ntfs-01
1
1
0
0
0
0
0
ntfs-02
1
1
0
0
0
0
0
ntfs-03
1
1
0
0
0
0
0
ntfs-05
2
2
0
0
0
0
0
ntfs-05-braid
2
2
0
0
0
0
0
ntfs-05-nest
2
2
0
0
0
0
0
ntfs-06
1
1
0
0
0
0
0
ntfs-09
260
260
0
0
0
0
0
ntfs-11
3
3
0
0
0
0
0
ext-01
3
3
0
0
0
0
0
ext-02
3
3
0
0
0
0
0
ext-03
3
3
0
0
0
0
0
ext-05
6
6
0
0
0
0
0
ext-05-braid
6
6
0
0
0
0
0
ext-05-nest
6
6
0
0
0
0
0
ext-06
3
2
1
0
0
0
0
ext-09
780
766
0
0
14
0
0
ext-11
9
9
0
0
0
0
0
The Recovered File Analysis Summary gives a one-row summary of the files recovered
for a test case.
Case: The test case identifier.
Del: The number of deleted files. The notation k/j means k files created in j
directories.
Rec: The number of files recovered by the tool. This should be at least as many as
the Intact/Meta value from the table above.
SS: The number of deleted files that contributed blocks to the recovered files.
This will be discussed below when we have more data from the example.
First: The number of recovered files that contain the first block of the deleted file.
Full: The number of recovered files that are complete and accurate with no extra
blocks.
Match: The number of recovered files with a correctly matching name.
Sigma: The number of recovered files with a recovered name that matches except
for the first character. This is an artifact of some deleted files on FAT file systems
where the Greek ISO representation of the letter sigma (σ) replaces the first
character of the file name to indicate a deleted file.
July 2014
Page 18 of 41
TSK 3.2.2/Autopsy 2.24
Multi: The number of files with blocks from two or more deleted files. In other
words, files with blocks of data from different files recovered together into one
recovered file.
Other: The number of files recovered with unrecognized data blocks. This is
usually the case when a file is partially overwritten with file system metadata.
Active: The number of recovered files that include data blocks from active (not
deleted) files.
Seq: The number of recovered files with data blocks out of sequence.
Over: The number of files that are overwritten in the test case.
Ovf: The number of files that the tool reports as overwritten.
Recovered File Analysis Summary
Case
Del
Rec
SS
First
Full
Match
Sigma
Multi
Other
Active
Seq
Over
Ovf
fat-01
3
3
3
3
3
2
1
0
0
0
0
0
0
fat-02
3
3
3
3
3
2
1
0
0
0
0
0
0
fat-03
3
3
3
3
3
2
1
0
0
0
0
0
0
fat-05
6
6
6
6
6
5
1
0
0
0
0
0
0
fat-05-braid
6
6
0
0
0
0
0
6
0
0
0
0
0
fat-05-nest
6
6
3
3
3
2
1
3
0
0
0
0
0
fat-06
3
3
0
0
0
0
0
3
0
3
0
0
0
fat-09
780
780
780
780
780
780
0
0
0
0
0
0
0
fat-11
9/3
9/0
9
9
9
9
0
0
0
0
0
0
0
xfat-01
1
0
0
0
0
0
0
0
0
0
0
0
0
ntfs-01
1
1
1
1
1
1
0
0
0
0
0
0
0
ntfs-02
1
1
1
1
1
1
0
0
0
0
0
0
0
ntfs-03
1
1
1
1
1
1
0
0
0
0
0
0
0
ntfs-05
2
2
2
2
2
2
0
0
0
0
0
0
0
ntfs-05-braid
2
2
2
2
2
2
0
0
0
0
0
0
0
ntfs-05-nest
2
2
2
2
2
2
0
0
0
0
0
0
0
ntfs-06
1
1
1
1
1
1
0
0
0
0
0
0
0
ntfs-09
260
260
260
260
260
260
0
0
0
0
0
0
0
ntfs-11
3/1
3/1
3
3
3
3
0
0
1
0
0
0
0
ext-01
3
1
1
1
1
0
0
0
0
0
0
0
0
ext-02
3
1
1
1
1
0
0
0
0
0
0
0
0
ext-03
3
1
1
1
1
0
0
0
0
0
0
0
0
ext-05
6
2
2
2
2
0
0
0
0
0
0
0
0
ext-05-braid
6
2
2
2
2
0
0
0
0
0
0
0
0
ext-05-nest
6
2
2
2
2
0
0
0
0
0
0
0
0
ext-06
3
1
1
1
1
0
0
0
0
0
0
1
0
ext-09
780
260
260
260
260
0
0
0
0
0
0
0
0
ext-11
9/3
3/0
3
3
3
0
0
0
0
0
0
0
0
T
he next two tables give summary totals by file system.
Available Metadata and File Block Summary
Case
Deleted
Intact/Meta
Partial/Meta
None/meta
Intact/None
Partial/None
None/None
fat
819
819
0
0
0
0
0
xfat
1
1
0
0
0
0
0
ntfs
273
273
0
0
0
0
0
ext
819
804
1
0
14
0
0
Totals
1912
1897
1
0
14
0
0
Recovered File Analysis By File System
Type
Del
Rec
SS
First
Full
Match
Sigma
Multi
Other
Active
Seq
Over
Ovf
FAT
819
819
807
807
807
802
5
12
0
3
0
0
0
NTFS
273
273
273
273
273
273
0
0
1
0
0
0
0
ext
819
273
273
273
273
0
0
0
0
0
0
1
0
Totals
1912
1365
1353
1353
1353
1075
5
12
1
3
0
1
0
July 2014
Page 19 of 41
TSK 3.2.2/Autopsy 2.24
4.4 Scenarios with Deleted Directories
For details about directories, refer to test cases DFR-11 (above) and test case DFR-12
(below).
4.5 Recovered Content (Overwrites)
This subsection summarizes results for cases than involve overwriting some files and
metadata. The degree of overwriting can be gauged from the Available Metadata and
File Block Summary table.
Available Metadata and File Block Summary
Case
Deleted
Intact/Meta
Partial/Meta
None/meta
Intact/None
Partial/None
None/None
fat-07
15
6
0
3
0
0
6
fat-07-one
9
3
0
2
0
0
4
fat-07-two
6
0
0
2
0
0
4
fat-08
74
32
2
9
7
1
23
fat-10
2340
780
0
0
0
0
1560
fat-12
36
27
0
0
0
9
0
fat-13
414
270
0
84
0
0
60
xfat-07
5
3
0
0
0
0
2
xfat-07-one
3
1
0
1
0
0
1
xfat-07-two
2
0
0
1
0
0
1
xfat-08
25
13
0
1
1
0
10
xfat-10
780
260
0
0
0
0
520
xfat-12
12
9
0
0
0
3
0
xfat-13
138
90
3
25
0
0
20
ntfs-07
5
1
0
2
0
0
2
ntfs-07-one
3
1
0
2
0
0
0
ntfs-07-two
2
0
0
2
0
0
0
ntfs-08
25
13
3
9
0
0
0
ntfs-10
780
260
0
497
0
0
23
ntfs-12
12
9
0
0
0
3
0
ntfs-13
138
87
0
48
0
0
3
ext-07
15
6
1
2
0
0
6
ext-07-one
9
3
0
3
0
0
3
ext-07-two
6
0
0
3
0
0
3
ext-08
49
20
0
6
3
4
16
ext-10
2340
896
1
860
12
0
571
ext-12
36
30
0
0
1
3
2
ext-13
414
270
19
95
1
1
28
The Recovered File Analysis Summary gives a one-row summary of the files recovered
for a test case.
Case: The test case identifier.
Del: The number of deleted files. The notation k/j means k files created in j
directories.
Rec: The number of files recovered by the tool. This should be at least as many as
the Intact/Meta value from the table above.
SS: The number of deleted files that contributed blocks to the recovered files.
This will be discussed below when we have more data from the example.
First: The number of recovered files that contain the first block of the deleted file.
Full: The number of recovered files that are complete and accurate with no extra
blocks.
July 2014
Page 20 of 41
TSK 3.2.2/Autopsy 2.24
Match: The number of recovered files with a correctly matching name.
Sigma: The number of recovered files with a recovered name that matches except
for the first character. This is an artifact of some deleted files on FAT file systems
where the Greek ISO representation of the letter sigma (σ) replaces the first
character of the file name to indicate a deleted file.
Multi: The number of files with blocks from two or more deleted files. In other
words, files with blocks of data from different files recovered together into one
recovered file.
Other: The number of files recovered with unrecognized data blocks. This is
usually the case when a file is partially overwritten with file system metadata.
Active: The number of recovered files that include data blocks from active (not
deleted) files.
Seq: The number of recovered files with data blocks out of sequence.
Over: The number of files that are overwritten in the test case.
Ovf: The number of files that the tool reports as overwritten.
Recovered File Analysis Summary
Case
Del
Rec
SS
First
Full
Match
Sigma
Multi
Other
Active
Seq
Over
Ovf
fat-07
15
9
6
8
6
5
1
0
0
0
0
9
0
fat-07-one
9
6
3
5
3
3
0
0
0
1
0
6
0
fat-07-two
6
3
0
0
0
0
0
0
0
3
0
6
0
fat-08
74
42
36
31
30
18
12
5
0
0
0
35
0
fat-10
2340
780
780
780
780
780
0
0
0
0
0
1560
0
fat-12
36/9
27/0
9
9
9
9
0
18
3
0
0
9
0
fat-13
414
354
66
57
57
57
0
246
0
36
0
144
0
ntfs-07
5
3
2
3
2
2
0
0
0
0
0
4
0
ntfs-07-one
3
2
1
2
1
1
0
0
0
0
0
2
0
ntfs-07-two
2
1
0
0
0
0
0
0
0
1
0
2
0
ntfs-08
25
13
11
12
10
10
0
1
0
0
0
12
0
ntfs-10
780
260
260
260
260
260
0
0
0
0
0
520
0
ntfs-12
12/3
9/2
9
9
9
9
0
0
2
0
0
3
0
ntfs-13
138
118
92
92
92
92
0
23
0
23
0
51
0
ext-07
15
3
2
2
2
0
0
1
0
0
0
9
0
ext-07-one
9
2
1
1
1
0
0
1
1
0
0
6
0
ext-07-two
6
1
0
0
0
0
0
1
1
1
0
6
0
ext-08
49
13
10
11
10
0
0
1
1
0
0
26
0
ext-10
2340
430
260
260
260
0
0
0
39
131
0
1432
0
ext-12
36/9
9/0
9
9
9
0
0
0
0
0
0
5
0
ext-13
414
125
90
90
90
0
0
25
14
30
0
143
0
Available Metadata and File Block Summary
Case
Deleted
Intact/Meta
Partial/Meta
None/meta
Intact/None
Partial/None
None/None
fat
2894
1118
2
100
7
10
1657
ntfs
965
371
3
560
0
3
28
ext
2869
1225
21
969
17
8
629
Totals
6728
2714
26
1629
24
21
2314
Recovered File Analysis By File System
Total
Del
Rec
SS
First
Full
Match
Sigma
Multi
Other
Active
Seq
Over
Ovf
FAT
2894
1221
900
890
885
872
13
269
3
40
0
1769
0
NTFS
965
406
375
378
374
374
0
24
2
24
0
594
0
ext
2869
583
372
373
372
0
0
29
56
162
0
1627
0
Totals
6728
2210
1647
1641
1631
1246
13
322
61
226
0
3990
0
July 2014
Page 21 of 41
TSK 3.2.2/Autopsy 2.24
4.6 Reported File Size for Recovered Files
This subsection summarizes reported size for recovered metadata.
The Available Metadata and File Block Summary gives a one row summary of the file
blocks and meta-data available for recovery for a testcase.
Case: The test case identifier.
Deleted: The number of files created and then deleted.
Intact/Meta: The number of files with no blocks overwritten and metadata
available. All these files should be recoverable.
Partial/Meta: The number of files with some, but not all, blocks overwritten and
metadata available. However, only independently allocated blocks are counted.
None/Meta: The number of files with all blocks overwritten, but metadata
available. For NTFS file systems, blocks from small files may be contained within
the MFT and not counted here.
Intact/None: The number of files with no blocks overwritten and metadata
overwritten.
Partial/None: The number of files with some, but not all, blocks overwritten and
metadata overwritten.
None/None: The number of files with all blocks and metadata overwritten.
Case
Deleted
Intact/Meta
Partial/Meta
None/meta
Intact/None
Partial/None
None/None
fat-01
3
3
0
0
0
0
0
fat-07
15
6
0
3
0
0
6
fat-11
9
9
0
0
0
0
0
xfat-01
1
1
0
0
0
0
0
xfat-07
5
3
0
0
0
0
2
xfat-11
3
3
0
0
0
0
0
ntfs-01
1
1
0
0
0
0
0
ntfs-07
5
1
0
2
0
0
2
ntfs-11
3
3
0
0
0
0
0
ext-01
3
3
0
0
0
0
0
ext-07
15
6
1
2
0
0
6
ext-11
9
9
0
0
0
0
0
The Recovered File Analysis Summary gives a one-row summary of the files recovered
for a test case.
Case: The test case identifier.
Del: The number of deleted files. The notation k/j means k files created in j
directories.
Rec: The number of files recovered by the tool. This should be at least as many as
the Intact/Meta value from the table above.
SS: The number of deleted files that contributed blocks to the recovered files.
This will be discussed below when we have more data from the example.
First: The number of recovered files that contain the first block of the deleted file.
Full: The number of recovered files that are complete and accurate with no extra
blocks.
Match: The number of recovered files with a correctly matching name.
July 2014
Page 22 of 41
TSK 3.2.2/Autopsy 2.24
Sigma: The number of recovered files with a recovered name that matches except
for the first character. This is an artifact of some deleted files on FAT file systems
where the Greek ISO representation of the letter sigma (σ) replaces the first
character of the file name to indicate a deleted file.
Multi: The number of files with blocks from two or more deleted files. In other
words, files with blocks of data from different files recovered together into one
recovered file.
Other: The number of files recovered with unrecognized data blocks. This is
usually the case when a file is partially overwritten with file system metadata.
Active: The number of recovered files that include data blocks from active (not
deleted) files.
Seq: The number of recovered files with data blocks out of sequence.
Over: The number of files that are overwritten in the test case.
Ovf: The number of files that the tool reports as overwritten.
Recovered File Analysis Summary
Case
Del
Rec
SS
First
Full
Match
Sigma
Multi
Other
Active
Seq
Over
Ovf
fat-01
3
3
3
3
3
2
1
0
0
0
0
0
0
fat-07
15
9
6
8
6
5
1
0
0
0
0
9
0
fat-11
9/3
9/0
9
9
9
9
0
0
0
0
0
0
0
xfat-01
1
0
0
0
0
0
0
0
0
0
0
0
0
ntfs-01
1
1
1
1
1
1
0
0
0
0
0
0
0
ntfs-07
5
3
2
3
2
2
0
0
0
0
0
4
0
ntfs-11
3/1
3/1
3
3
3
3
0
0
1
0
0
0
0
ext-01
3
1
1
1
1
0
0
0
0
0
0
0
0
ext-07
15
3
2
2
2
0
0
1
0
0
0
9
0
ext-11
9/3
3/0
3
3
3
0
0
0
0
0
0
0
0
Each row of the Deleted File Details table describes each deleted file.
Case: The test case identifier. The field is left blank after the first file for the
remaining files of the test case.
File: The name of the deleted file.
Size: The number of 512 byte blocks allocated to the file.
Bytes: The number of bytes allocated to the file.
Residue: The number of data blocks not overwritten, i.e., the number of data
blocks available for recovery.
Meta: Either none or meta indicating the absence or presence of file metadata.
eta
ne
eta
eta
eta
eta
Deleted File Details
Case
File S
ize By
tes R
esidue
Meta
fat-01
Bellatrix.txt 1
71
2 1
meta
Betelgeuse.txt 1
71
2 1
m
XBEID.TXT 1
71
2 1
meta
fat-07
Bellatrix.txt 8
40
96 0
no
ne
Betelgeuse.txt 8
40
96 0
no
Canopus.txt 8
40
96 0
no
ne
Capella.txt 8
40
96 0
meta
Deneb.txt 8
40
96 0
meta
Denebola.TXT 8
40
96 0
m
Fomalhaut.TXT 1
6 81
92 1
6 m
FumAlSamakah.txt 1
6 81
92 1
6 m
Gemma.TXT 8
40
96 8
m
July 2014
Page 23 of 41
TSK 3.2.2/Autopsy 2.24
Deleted File Details
Case
File
Size
Bytes
Residue
Meta
Giauzar.txt
8
4096
8
meta
Graffias.TXT
8
4096
8
meta
XBEID.TXT
8
4096
0
none
XCAPH.TXT
8
4096
0
none
XDUBHE.TXT
8
4096
0
none
XFURUD.TXT
16
8192
16
meta
fat-11
Capella.txt
16
8192
16
meta
Elnasl.txt
16
8192
16
meta
Maaz.txt
16
8192
16
meta
Nunki.txt
16
8192
16
meta
Rastaban.txt
16
8192
16
meta
Rukbat.txt
16
8192
16
meta
Sadatoni.txt
16
8192
16
meta
Thuban.txt
16
8192
16
meta
Tyl.txt
16
8192
16
meta
xfat-01
Betelgeuse.txt
8
4396
8
meta
xfat-07
Betelgeuse.txt
1
512
0
none
Capella.txt
1
512
0
none
Deneb.txt
1
512
1
meta
Fomalhaut.TXT
2
1024
2
meta
Gemma.TXT
1
512
1
meta
xfat-11
Adhil.txt
4
2048
4
meta
Alpheratz.txt
4
2048
4
meta
Mirach.txt
4
2048
4
meta
ntfs-01
Bunda.txt
8
4296
8
meta
ntfs-07
Bunda.txt
8
4096
0
none
Castor.txt
8
4096
0
none
Duhr.TXT
8
4096
0
meta
Furud.txt
15
7680
15
meta
Grumium.txt
1
512
0
meta
ntfs-11
Sheliak.txt
4
2048
4
meta
Sulafat.txt
4
2048
4
meta
Vega.txt
4
2048
4
meta
ext-01
Bellatrix.txt
1
712
1
meta
Botein.txt
1
712
1
meta
Bunda.txt
1
712
1
meta
ext-07
Bellatrix.txt
8
4096
0
none
Botein.txt
8
4096
0
none
Bunda.txt
8
4096
0
none
Canopus.txt
8
4096
0
none
Castor.txt
8
4096
0
none
Chort.txt
8
4096
0
none
Denebola.TXT
8
4096
0
meta
Diadem.TXT
8
4096
6
meta
Duhr.TXT
8
4096
0
meta
FumAlSamakah.txt
16
8192
16
meta
Furud.txt
16
8192
16
meta
Giauzar.txt
6
3072
6
meta
Gomeisa.txt
8
4096
8
meta
Grumium.txt
6
3072
6
meta
fornax.txt
16
8192
16
meta
ext-11
Adhil.txt
16
8192
16
meta
Alpheratz.txt
16
8192
16
meta
Betelguese.txt
16
8192
16
meta
Mintaka.txt
16
8192
16
meta
Mirach.txt
16
8192
16
meta
Rigel.txt
16
8192
16
meta
Sheliak.txt
16
8192
16
meta
Sulafat.txt
16
8192
16
meta
Vega.txt
16
8192
16
meta
Each row of the Recovered File Content Analysis table describes each recovered file.
July 2014
Page 24 of 41
TSK 3.2.2/Autopsy 2.24
Case: The test case identifier. The field is left blank after the first file for the
remaining files of the test case.
Content: The file name of the file that was the source of the first recovered data
block of the recovered object.
Name: The name assigned to the recovered object by the tool under test.
Size: The value reported by the tool under test as the size of the original deleted
file.
First: The number of initial file blocks included in the recovered object.
Blocks: The number of non-initial blocks included in the recovered object.
Tail: The number of partial sector blocks included in the recovered object.
Src: The number of files contributing to the recovered file.
Shift: The number of times there is a shift to a new data source (i.e., the number
of files in addition to the first that contributed data to the recovered object).
Seq: The number of times a there is a break in the sequence of blocks within the
recovered object.
Other: The number of unidentified blocks included in the recovered object.
Recovered File Content Analysis
Case
Content
Name
Size
First
Blocks
Tail
Src
Shift
Seq
Other
dfr-fat-01
XBEID.TXT
_BEID.TXT
712
1
0
1
1
0
0
0
Bellatrix.txt
Bellatrix.txt
712
1
0
1
1
0
0
0
Betelgeuse.txt
Betelgeuse.txt
712
1
0
1
1
0
0
0
dfr-fat-07
Fomalhaut.TXT
Fomalhaut.TXT
8192
1
15
0
1
0
0
0
FumAlSamakah.txt
FumAlSamakah.txt
8192
1
15
0
1
0
0
0
Gemma.TXT
Deneb.txt
4096
1
7
0
1
0
0
0
Gemma.TXT
Gemma.TXT
4096
1
7
0
1
0
0
0
Fomalhaut.TXT
_APELLA.TXT
4096
0
8
0
1
1
0
0
XFURUD.TXT
_FURUD.TXT
8192
1
15
0
1
0
0
0
Giauzar.txt
Giauzar.txt
4096
1
7
0
1
0
0
0
Graffias.TXT
Graffias.TXT
4096
1
7
0
1
0
0
0
Giauzar.txt
_ENEBOLA.TXT
4096
1
7
0
1
0
0
0
dfr-fat-11
Nunki.txt
Nunki.txt
8192
1
15
0
1
0
0
0
Tyl.txt
Tyl.txt
8192
1
15
0
1
0
0
0
Capella.txt
Capella.txt
8192
1
15
0
1
0
0
0
Rastaban.txt
Rastaban.txt
8192
1
15
0
1
0
0
0
Maaz.txt
Maaz.txt
8192
1
15
0
1
0
0
0
Thuban.txt
Thuban.txt
8192
1
15
0
1
0
0
0
Sadatoni.txt
Sadatoni.txt
8192
1
15
0
1
0
0
0
Elnasl.txt
Elnasl.txt
8192
1
15
0
1
0
0
0
Rukbat.txt
Rukbat.txt
8192
1
15
0
1
0
0
0
dfr-ntfs-01
Bunda.txt
Bunda.txt
4296
1
7
1
1
0
0
0
dfr-ntfs-07
Grumium.txt
Grumium.txt
512
1
0
0
1
0
0
0
Furud.txt
Duhr.TXT
4096
1
7
0
1
0
0
0
Furud.txt
Furud.txt
7680
1
14
0
1
0
0
0
dfr-ntfs-11
Vega.txt
Vega.txt
2048
1
3
0
1
0
0
0
Unknown
Lyra
48
0
0
0
1
0
0
1
Sheliak.txt
Sheliak.txt
2048
1
3
0
1
0
0
0
Sulafat.txt
Sulafat.txt
2048
1
3
0
1
0
0
0
dfr-ext-01
Bellatrix.txt
OrphanFile-13
712
1
0
1
1
0
0
0
dfr-ext-07
Giauzar.txt
OrphanFile-15
4096
1
7
0
2
1
0
0
Giauzar.txt
OrphanFile-14
3072
1
5
0
1
0
0
0
FumAlSamakah.txt
OrphanFile-13
8192
1
15
0
1
0
0
0
dfr-ext-11
Mintaka.txt
OrphanFile-38763
8192
1
15
0
1
0
0
0
Betelguese.txt
OrphanFile-38764
8192
1
15
0
1
0
0
0
Rigel.txt
OrphanFile-38762
8192
1
15
0
1
0
0
0
July 2014
Page 25 of 41
TSK 3.2.2/Autopsy 2.24
4.7 Recovered MAC Times
The MAC times are as reported by the stat command from a Linux environment
(MM/DD/YY HH:MM:SS + or – HHMM) for ext, fat and NTFS. The MAC times for the
exFAT cases are as reported by the stat command from an OS X environment. The file
delete times are as reported by the Windows dir command.
Note that for the FAT dates and times the stat times reported as the actual MAC times
should be adjusted by adding one hour.
Also note that the operating system replaces the ctime meta-data with the time of file
deletion for ext file systems. Therefore the expected ctime value is the deletion time and
not the ctime value just before file deletion. Otherwise the expected value for a recovered
MAC time is the MAC time just before file deletion.
Each row of the Deleted File Mac Times table reports the MAC times in MM/DD/YY
HH:MM:SS format for each deleted file just before the file is deleted.
Case: The test case identifier. The field is left blank after the first file for the
remaining files of the test case.
Name: The name of the deleted file.
Modify/Access/Create: The MAC times just before the file is deleted.
Deleted File MAC Times
Case
File
Modify
Access
Create
ext-01
Bellatrix.txt
02/29/00 13:13:00 -0500
01/02/99 03:03:00 -0500
10/09/11 13:10:19 -0400
Botein.txt
02/29/00 13:15:00 -0500
01/02/99 03:05:00 -0500
10/09/11 13:10:20 -0400
Bunda.txt
02/29/00 13:14:00 -0500
01/02/99 03:04:00 -0500
10/09/11 13:10:20 -0400
fat-01
Bellatrix.txt
02/29/00 13:13:00 -0500
01/01/99 23:00:00 -0500
12/25/11 13:02:24 -0500
Betelgeuse.txt
02/29/00 13:12:00 -0500
01/01/99 23:00:00 -0500
12/25/11 13:02:24 -0500
XBEID.TXT
02/29/00 13:11:00 -0500
01/01/99 23:00:00 -0500
12/25/11 13:02:23 -0500
ntfs-01
Bunda.txt
02/29/00 13:14:00 -0500
01/02/99 03:04:00 -0500
02/03/12 10:12:59 -0500
xfat-01
Betelgeuse.txt
02/29/00 13:12:00
01/2/99 03:02:00
02/29/00 13:12:00
The File Delete Times table reports the time the file was deleted for ext file systems.
These times are the expected values recovered for ctime for the ext file systems.
File Delete Times (ext)
Case
Operation
File Delete Time
ext-01
delete
Bellatrix.txt
ext-01
delete time
Sun Oct 9 13:12:59 EDT 2011
ext-01
delete
Bunda.txt
ext-01
delete time
Sun Oct 9 13:13:00 EDT 2011
ext-01
delete
Botein.txt
ext-01
delete time
Sun Oct 9 13:13:00 EDT 2011
Each row of the Recovered File Mac Times table reports the MAC times in
MM/DD/YY HH:MM:SS format for each recovered file.
July 2014
Page 26 of 41
TSK 3.2.2/Autopsy 2.24
Case: The test case identifier. The field is left blank after the first file for the
remaining files of the test case.
Name: The name of the deleted file.
Modify/Access/Create: The MAC times reported by the tool under test.
Recovered File MAC Times
Case
File
Modify
Access
Create
dfr-ext-01
Botein.txt
2011-10-09 13:13:00
1999-01-02 03:05:00
2011-10-09 13:13:00
Bellatrix.txt
0000-00-00 00:00:00
0000-00-00 00:00:00
0000-00-00 00:00:00
OrphanFile-13
2000-02-29 13:13:00
1999-01-02 03:03:00
2011-10-09 13:12:59
Bunda.txt
2011-10-09 13:13:00
1999-01-02 03:04:00
2011-10-09 13:13:00
dfr-fat-01
_BEID.TXT
2000-02-29 14:11:00
1999-01-02 00:00:00
2011-12-25 14:02:22
Bellatrix.txt
2000-02-29 14:13:00
1999-01-02 00:00:00
2011-12-25 14:02:24
Betelgeuse.txt
2000-02-29 14:12:00
1999-01-02 00:00:00
2011-12-25 14:02:24
dfr-ntfs-01
Bunda.txt
2000-02-29 13:14:00
1999-01-02 03:04:00
2012-02-03 10:12:59
4.8 Non-Latin Character File Names
The Recovered File Analysis Summary gives a one-row summary of the files recovered
for a test case.
Case: The test case identifier.
Del: The number of deleted files. The notation k/j means k files created in j
directories.
Rec: The number of files recovered by the tool. This should be at least as many as
the Intact/Meta value from the table above.
SS: The number of deleted files that contributed blocks to the recovered files.
This will be discussed below when we have more data from the example.
First: The number of recovered files that contain the first block of the deleted file.
Full: The number of recovered files that are complete and accurate with no extra
blocks.
Match: The number of recovered files with a correctly matching name.
Sigma: The number of recovered files with a recovered name that matches except
for the first character. This is an artifact of some deleted files on FAT file systems
where the Greek ISO representation of the letter sigma (σ) replaces the first
character of the file name to indicate a deleted file.
Multi: The number of files with blocks from two or more deleted files. In other
words, files with blocks of data from different files recovered together into one
recovered file.
Other: The number of files recovered with unrecognized data blocks. This is
usually the case when a file is partially overwritten with file system metadata.
Active: The number of recovered files that include data blocks from active (not
deleted) files.
Seq: The number of recovered files with data blocks out of sequence.
Over: The number of files that are overwritten in the test case.
Ovf: The number of files that the tool reports as overwritten.
Recovered File Analysis Summary
Case
Del
Rec
SS
First
Full
Match
Sigma
Multi
Other
Active
Seq
Over
Ovf
July 2014
Page 27 of 41
TSK 3.2.2/Autopsy 2.24
Recovered File Analysis Summary
Case
Del
Rec
SS
First
Full
Match
Sigma
Multi
Other
Active
Seq
Over
Ovf
ext-04
36
12
12
12
12
0
0
0
0
0
0
0
0
fat-04
36
36
36
36
36
0
0
0
0
0
0
0
0
ntfs-04
12
12
12
12
12
0
0
0
0
0
0
0
0
Each row of the Recovered File Content Block Details table describes the source of
recovered file content.
Case: The test case identifier. The field is left blank after the first file for the
remaining files of the test case.
Name: The name of the recovered object.
Recovered Content: A list of data sources included in the recovered object. Each
entry is accompanied with the number of blocks included in the recovered object
and the size of the source object.
Recovered File Content Block Details
Case
Name
Recovered Content
dfr-ext-04
OrphanFile-12
Naan.txt3(8 of 8)
OrphanFile-14
Pakora.txt3(8 of 8)
OrphanFile-16
Seoul.txt3(8 of 8)
OrphanFile-19
Walnut.txt3(8 of 8)
OrphanFile-21
Hummus.txt3(8 of 8)
OrphanFile-23
Tagine.txt3(8 of 8)
OrphanFile-24
Tea.txt3(8 of 8)
OrphanFile-26
Mitsubishi-k.txt3(8 of 8)
OrphanFile-27
Mitsubishi-h.txt3(8 of 8)
OrphanFile-29
Vessel.txt3(8 of 8)
OrphanFile-30
BeiJing.txt3(8 of 8)
OrphanFile-33
Tokyo.txt3(8 of 8)
dfr-fat-04
Gefäß.txt1
Vessel.txt1(8 of 8)
Gefäß.txt2
Vessel.txt2(8 of 8)
Gefäß.txt3
Vessel.txt3(8 of 8)
北京
.txt1
BeiJing.txt1(8 of 8)
東京.txt1
Tokyo.txt1(8 of 8)
北京.txt2
BeiJing.txt2(8 of 8)
東京
.txt2
Tokyo.txt2(8 of 8)
北京
.txt3
BeiJing.txt3(8 of 8)
東京
.txt3
Tokyo.txt3(8 of 8)
.txt1
Naan.txt1(8 of 8)
.txt2
Naan.txt2(8 of 8)
.txt3
Naan.txt3(8 of 8)
чай.txt1
Tea.txt1(8 of 8)
گردو.txt1
Walnut.txt1(8 of 8)
чай.txt2
Tea.txt2(8 of 8)
گردو.txt2
Walnut.txt2(8 of 8)
чай.txt3
Tea.txt3(8 of 8)
گردو.txt3
Walnut.txt3(8 of 8)
חומוס.txt1
Hummus.txt1(8 of 8)
طﺎﺠﯿﻧ.txt1
Tagine.txt1(8 of 8)
ﭗﮐوڑا.txt1
Pakora.txt1(8 of 8)
서울
.txt1
Seoul.txt1(8 of 8)
みつびし
.txt1
Mitsubishi-h.txt1(8 of 8)
ミツビシ
.txt1
Mitsubishi-k.txt1(8 of 8)
חומוס.txt2
Hummus.txt2(8 of 8)
طﺎﺠﯿﻧ.txt2
Tagine.txt2(8 of 8)
ﭗﮐوڑا.txt2
Pakora.txt2(8 of 8)
July 2014
Page 28 of 41
TSK 3.2.2/Autopsy 2.24
Recovered File Content Block Details
Case
Name
Recovered Content
.txt2
Seoul.txt2(8 of 8)
みつびし
.txt2
Mitsubishi-h.txt2(8 of 8)
ミツビシ
.txt2
Mitsubishi-k.txt2(8 of 8)
חומוס.txt3
Hummus.txt3(8 of 8)
طﺎﺠﯿﻧ.txt3
Tagine.txt3(8 of 8)
ﭗﮐوڑا.txt3
Pakora.txt3(8 of 8)
.txt3
Seoul.txt3(8 of 8)
みつびし
.txt3
Mitsubishi-h.txt3(8 of 8)
ミツビシ
.txt3
Mitsubishi-k.txt3(8 of 8)
dfr-ntfs-04
Gefäß.txt
Vessel.txt(4 of 4)
北京
.txt
BeiJing.txt(4 of 4)
東京.txt
Tokyo.txt(4 of 4)
.txt
Naan.txt(4 of 4)
чай.txt
Tea.txt(4 of 4)
گردو.txt
Walnut.txt(4 of 4)
.txtסומוח
Hummus.txt(4 of 4)
.txtنيجاط
Tagine.txt(4 of 4)
.txtاڑوکپ
Pakora.txt(4 of 4)
.txt
Seoul.txt(4 of 4)
みつびし
.txt
Mitsubishi-h.txt(4 of 4)
ミツビシ
.txt
Mitsubishi-k.txt(4 of 4)
4.9 Deletion Through Recycle Bin
The Available Metadata and File Block Summary gives a one row summary of the file
blocks and meta-data available for recovery for a test case.
Case: The test case identifier.
Deleted: The number of files created and then deleted.
Intact/Meta: The number of files with no blocks overwritten and metadata
available. All these files should be recoverable.
Partial/Meta: The number of files with some, but not all, blocks overwritten and
metadata available. However, only independently allocated blocks are counted.
None/Meta: The number of files with all blocks overwritten, but metadata
available. For NTFS file systems, blocks from small files may be contained within
the MFT and not counted here.
Intact/None: The number of files with no blocks overwritten and metadata
overwritten.
Partial/None: The number of files with some, but not all, blocks overwritten and
metadata overwritten.
None/None: The number of files with all blocks and metadata overwritten.
Available Metadata and File Block Summary
Case
Deleted
Intact/Meta
Partial/Meta
None/meta
Intact/None
Partial/None
None/None
ext-01-recycle
3
3
0
0
0
0
0
fat-01-recycle
3
3
0
0
0
0
0
ntfs-01-recycle
1
1
0
0
0
0
0
July 2014
Page 29 of 41
TSK 3.2.2/Autopsy 2.24
The Recovered File Analysis Summary gives a one-row summary of the files recovered
for a test case.
Case: The test case identifier.
Del: The number of deleted files. The notation k/j means k files created in j
directories.
Rec: The number of files recovered by the tool. This should be at least as many as
the Intact/Meta value from the table above.
SS: The number of deleted files that contributed blocks to the recovered files.
This will be discussed below when we have more data from the example.
First: The number of recovered files that contain the first block of the deleted file.
Full: The number of recovered files that are complete and accurate with no extra
blocks.
Match: The number of recovered files with a correctly matching name.
Sigma: The number of recovered files with a recovered name that matches except
for the first character. This is an artifact of some deleted files on FAT file systems
where the Greek ISO representation of the letter sigma (σ) replaces the first
character of the file name to indicate a deleted file.
Multi: The number of files with blocks from two or more deleted files. In other
words, files with blocks of data from different files recovered together into one
recovered file.
Other: The number of files recovered with unrecognized data blocks. This is
usually the case when a file is partially overwritten with file system metadata.
Active: The number of recovered files that include data blocks from active (not
deleted) files.
Seq: The number of recovered files with data blocks out of sequence.
Over: The number of files that are overwritten in the test case.
Ovf: The number of files that the tool reports as overwritten.
Recovered File Analysis Summary
Case
Del
Rec
SS
First
Full
Match
Sigma
Multi
Other
Active
Seq
Over
Ovf
ext-01-recycle
3
2
1
1
1
0
0
0
1
0
0
0
0
fat-01-recycle
3
7
3
5
3
2
1
0
2
0
0
0
0
ntfs-01-recycle
1
2
1
1
1
0
0
0
1
0
0
0
0
Each row of the Deleted File Details table describes each deleted file.
Case: The test case identifier. The field is left blank after the first file for the
remaining files of the test case.
File: The name of the deleted file.
Size: The number of 512 byte blocks allocated to the file.
Bytes: The number of bytes allocated to the file.
Residue: The number of data blocks not overwritten, i.e., the number of data
blocks available for recovery.
Meta: Either none or meta indicating the absence or presence of file metadata.
Deleted File Details
July 2014
Page 30 of 41
TSK 3.2.2/Autopsy 2.24
Case
File
Size
Bytes
Residue
Meta
ext-01-recycle
Bellatrix.txt
8
4096
8
meta
Botein.txt
8
4096
8
meta
Bunda.txt
8
4096
8
meta
fat-01-recycle
Bellatrix.txt
8
4096
8
meta
Betelgeuse.txt
8
4096
8
meta
XBEID.TXT
8
4096
8
meta
ntfs-01-recycle
Bunda.txt
8
4296
8
meta
Each row of the Recovered File Content Block Details table describes the source of
recovered file content.
Case: The test case identifier. The field is left blank after the first file for the
remaining files of the test case.
Name: The name of the recovered object.
Recovered Content: A list of data sources included in the recovered object. Each
entry is accompanied with the number of blocks included in the recovered object
and the size of the source object.
Recovered File Content Block Details
Case
Name
Recovered Content
dfr-ext-01-recycle
OrphanFile-13
Bellatrix.txt(8 of 8)
OrphanFile-75483
other(1)
dfr-fat-01-recycle
Bellatrix.txt
Bellatrix.txt(8 of 8)
Betelgeuse.txt
Betelgeuse.txt(8 of 8)
_BEID.TXT
XBEID.TXT(8 of 8)
_IOONCP6.txt
other(2)
_IQCRFK5.txt
other(2)
_ROONCP6.txt
Betelgeuse.txt(8 of 8)
_RQCRFK5.txt
Bellatrix.txt(8 of 8)
dfr-ntfs-01-recycle
$I019S2V.txt
other(2)
$R019S2V.txt
Bunda.txt(8 of 8)
4.10 Special NTFS Situations
The Available Metadata and File Block Summary gives a one row summary of the file
blocks and meta-data available for recovery for a testcase.
Case: The test case identifier.
Deleted: The number of files created and then deleted.
Intact/Meta: The number of files with no blocks overwritten and metadata
available. All these files should be recoverable.
Partial/Meta: The number of files with some, but not all, blocks overwritten and
metadata available. However, only independently allocated blocks are counted.
None/Meta: The number of files with all blocks overwritten, but metadata
available. For NTFS file systems, blocks from small files may be contained within
the MFT and not counted here.
Intact/None: The number of files with no blocks overwritten and metadata
overwritten.
Partial/None: The number of files with some, but not all, blocks overwritten and
metadata overwritten.
July 2014
Page 31 of 41
TSK 3.2.2/Autopsy 2.24
None/None: The number of files with all blocks and metadata overwritten.
Available Metadata and File Block Summary
Case
Deleted
Intact/Meta
Partial/Meta
None/meta
Intact/None
Partial/None
None/None
ntfs-11-
compress
3
0
0
3
0
0
0
ntfs-11-mft
3
0
0
3
0
0
0
The Recovered File Analysis Summary gives a one-row summary of the files recovered
for a test case.
Case: The test case identifier.
Del: The number of deleted files. The notation k/j means k files created in j
directories.
Rec: The number of files recovered by the tool. This should be at least as many as
the Intact/Meta value from the table above.
SS: The number of deleted files that contributed blocks to the recovered files.
This will be discussed below when we have more data from the example.
First: The number of recovered files that contain the first block of the deleted file.
Full: The number of recovered files that are complete and accurate with no extra
blocks.
Match: The number of recovered files with a correctly matching name.
Sigma: The number of recovered files with a recovered name that matches except
for the first character. This is an artifact of some deleted files on FAT file systems
where the Greek ISO representation of the letter sigma (σ) replaces the first
character of the file name to indicate a deleted file.
Multi: The number of files with blocks from two or more deleted files. In other
words, files with blocks of data from different files recovered together into one
recovered file.
Other: The number of files recovered with unrecognized data blocks. This is
usually the case when a file is partially overwritten with file system metadata.
Active: The number of recovered files that include data blocks from active (not
deleted) files.
Seq: The number of recovered files with data blocks out of sequence.
Over: The number of files that are overwritten in the test case.
Ovf: The number of files that the tool reports as overwritten.
Recovered File Analysis Summary
Case
Del
Rec
SS
First
Full
Match
Sigma
Multi
Other
Active
Seq
Over
Ovf
ntfs-11-compress
3/1
3/1
3
3
3
3
0
0
1
0
0
3
0
ntfs-11-mft
3/1
3/1
3
3
3
3
0
0
1
0
0
3
0
Content Analysis
Case
Content
Name
First
Blocks
Tail
Src
Shift
Seq
Other
dfr-ntfs-11-compress
Folder
Lyra
0
0
0
1
0
0
1
Sheliak.txt
Sheliak.txt
1
31
0
1
0
0
0
Sulafat.txt
Sulafat.txt
1
31
0
1
0
0
0
Vega.txt
Vega.txt
1
31
0
1
0
0
0
dfr-ntfs-11-mft
Folder
Lyra
0
0
0
1
0
0
1
Sheliak.txt
Sheliak.txt
1
0
0
1
0
0
0
July 2014
Page 32 of 41
TSK 3.2.2/Autopsy 2.24
Content Analysis
Case
Content
Name
First
Blocks
Tail
Src
Shift
Seq
Other
Sulafat.txt
Sulafat.txt
1
0
0
1
0
0
0
Vega.txt
Vega.txt
1
0
0
1
0
0
0
Each row of the Recovered File Content Block Details table describes the source of
recovered file content.
Case: The test case identifier. The field is left blank after the first file for the
remaining files of the test case.
Name: The name of the recovered object.
Recovered Content: A list of data sources included in the recovered object. Each
entry is accompanied with the number of blocks included in the recovered object
and the size of the source object.
Recovered File Content Block Details
Case
Name
Recovered Content
ntfs-11-compress
Sheliak.txt
Sheliak.txt(32 of 0)
Sulafat.txt
Sulafat.txt(32 of 0)
Vega.txt
Vega.txt(32 of 0)
ntfs-11-mft
Sheliak.txt
Sheliak.txt(1 of 0)
Sulafat.txt
Sulafat.txt(1 of 0)
Vega.txt
Vega.txt(1 of 0)
4.11 Listing Special Objects (Links, Alternate Data Streams, etc.)
The Objects Created Table lists by partition each object created for case xxx-15.
Objects Created for ext-15
Step
Operation
Files in Partition EXT2
1
create
Adhara-X2.txt
1
link
Adhara-hard-link-X2.txt->Adhara-X2.txt
1
create
.hidden-X2.txt
1
create
Dschubba-X2.txt
1
link
Dschubba-symbolic-link-X2.txt=>Dschubba-X2.txt
1
mkdir
Aquila-dir-X2
1
create
Altair-FileInDir-X2
1
link
Aquila-sym-linkToDir-X2=>Aquila-dir-X2
Step
Operation
Files in Partition EXT3
1
create
Betelgeuse-X3.txt
1
link
Betelgeuse-hard-link-X3.txt->Betelgeuse-X3.txt
1
create
.hidden-X3.txt
1
create
Electra-X3.txt
1
link
Electra-symbolic-link-X3.txt=>Electra-X3.txt
1
mkdir
Cygnus-dir-X3
1
create
Deneb-FileInDir-X3
1
link
Cygnus-sym-linkToDir-X3=>Cygnus-dir-X3
Step
Operation
Files in Partition EXT4
1
create
Canopus-X4.txt
1
link
Canopus-hard-link-X4.txt->Canopus-X4.txt
1
create
.hidden-X4.txt
1
create
Mintaka-X4.txt
1
link
Mintaka-symbolic-link-X4.txt=>Mintaka-X4.txt
1
mkdir
Lyra-dir-X4
1
create
Vega-FileInDir-X4
1
link
Lyra-sym-linkToDir-X4=>Lyra-dir-X4
July 2014
Page 33 of 41
TSK 3.2.2/Autopsy 2.24
The Special Objects Listed table identifies each object and attributes reported by
the tested tool.
Special Objects Listed for dfr-ext-15
Attributes
Object
Active
Adhara-hard-link-X2.txt
Active
Adhara-X2.txt
Active
Altair-FileInDir-X2
Active.Folder
Aquila-dir-X2/
Active
Aquila-sym-linkToDir-X2
Active
Betelgeuse-hard-link-X3.txt
Active
Betelgeuse-X3.txt
Active
Canopus-hard-link-X4.txt
Active
Canopus-X4.txt
Active.Folder
Cygnus-dir-X3/
Active
Cygnus-sym-linkToDir-X3
Active
Deneb-FileInDir-X3
Active
Dschubba-symbolic-link-X2.txt
Active
Dschubba-X2.txt
Active
Electra-symbolic-link-X3.txt
Active
Electra-X3.txt
Active
.hidden-X2.txt
Active
.hidden-X3.txt
Active
.hidden-X4.txt
Active.Folder
Lyra-dir-X4/
Active
Lyra-sym-linkToDir-X4
Active
Mintaka-symbolic-link-X4.txt
Active
Mintaka-X4.txt
The Objects Created Table lists by partition each object created for case xxx-15.
Objects Created for fat-15
Step
Operation
Files in Partition FAT12
1
create
Adhara-file-FAT12.txt
1
link
Adhara-shortcut-FAT12.txt->Adhara-file-FAT12.txt
1
create
ReadOnly-FAT12.txt
1
create
Archive-FAT12.txt
1
create
System-FAT12.txt
1
create
Hidden-FAT12.txt
1
create
NotIndexed-FAT12.txt
Step
Operation
Files in Partition FAT16
1
create
Betelgeuse-file-FAT16.txt
1
link
Betelgeuse-shortcut-FAT16.txt->Betelgeuse-file-FAT16.txt
1
create
ReadOnly-FAT16.txt
1
create
Archive-FAT16.txt
1
create
System-FAT16.txt
1
create
Hidden-FAT16.txt
1
create
NotIndexed-FAT16.txt
Step
Operation
Files in Partition FAT32
1
create
Canopus-file-FAT32.txt
1
link
Canopus-shortcut-FAT32.txt->Canopus-file-FAT32.txt
1
create
ReadOnly-FAT32.txt
1
create
Archive-FAT32.txt
1
create
System-FAT32.txt
1
create
Hidden-FAT32.txt
1
create
NotIndexed-FAT32.txt
July 2014
Page 34 of 41
TSK 3.2.2/Autopsy 2.24
The Special Objects Listed table identifies each object and attributes reported by
the tested tool.
Special Objects Listed for dfr-fat-15
Attributes
Object
Active
Adhara-file-FAT12.txt
Active
Adhara-shortcut-FAT12.lnk
Active
Archive-FAT12.txt
Active
Archive-FAT16.txt
Active
Archive-FAT32.txt
Active
Betelgeuse-file-FAT16.txt
Active
Betelgeuse-shortcut-FAT16.lnk
Active
Canopus-file-FAT32.txt
Active
Canopus-shortcut-FAT32.lnk
Active
Hidden-FAT12.txt
Active
Hidden-FAT16.txt
Active
Hidden-FAT32.txt
Active
NotIndexed-FAT12.txt
Active
NotIndexed-FAT16.txt
Active
NotIndexed-FAT32.txt
Active
ReadOnly-FAT12.txt
Active
ReadOnly-FAT16.txt
Active
ReadOnly-FAT32.txt
Active
System-FAT12.txt
Active
System-FAT16.txt
Active
System-FAT32.txt
The Objects Created Table lists by partition each object created for case xxx-15.
Objects Created for ntfs-15
Step
Operation
Files in Partition NTFS
1
create
shortcut-file.txt
1
create
hard-file.txt
1
create
symbolic-file.txt
1
create
stream-file.txt
1
link
shortcut-shortcut.lnk->shortcut-file.txt
1
link
hard-link.txt->hard-file.txt
1
link
symbolic-link.txt->symbolic-file.txt
1
ads
stream-file.txt+Brahmaputra.txt
1
create
ReadOnly-ntfs.txt
1
create
Archive-ntfs.txt
1
create
System-ntfs.txt
1
create
Hidden-ntfs.txt
1
create
NotIndexed-ntfs.txt
The Special Objects Listed table identifies each object and attributes reported by
the tested tool.
Special Objects Listed for dfr-ntfs-15
Attributes
Object
Active
Archive-ntfs.txt
Active
hard-file.txt
Active
hard-link.txt
Active
Hidden-ntfs.txt
Active
NotIndexed-ntfs.txt
Active
ReadOnly-ntfs.txt
Active
shortcut-file.txt
Active
shortcut-shortcut.lnk
July 2014
Page 35 of 41
TSK 3.2.2/Autopsy 2.24
Special Objects Listed for dfr-ntfs-15
Attributes
Object
Active
stream-file.txt
Active
stream-file.txt:Brahmaputra.txt
Active
symbolic-file.txt
Active
symbolic-link.txt
Active
System-ntfs.txt
4.12 Recover Special Objects (Links, Alternate Data Streams,
etc.)
The Objects Created Table ext-14 lists by partition each object created for case ext-14.
Objects Created for ext-14
Step
Operation
Files in Partition EXT2
1
mkdir
far-X4
1
create
Canopus-target-local-rmTarget-X4.txt Canopus-target-remote-rmTarget-X4.txt
1
link
Canopus-near-rmTarget-X4.txt->Canopus-target-local-rmTarget-X4.txt
1
link
far-X4/Canopus-far-rmTarget-X4.txt->Canopus-target-remote-rmTarget-X4.txt
1
create
Castor-target-local-rmLink-X4.txt Castor-target-remote-rmLink-X4.txt
1
link
Castor-near-rmLink-X4.txt->Castor-target-local-rmLink-X4.txt
1
link
far-X4/Castor-far-rmLink-X4.txt->Castor-target-remote-rmLink-X4.txt
1
create
Capella-target-local-rmBoth-X4.txt Capella-target-remote-rmBoth-X4.txt
1
link
Capella-near-rmBoth-X4.txt->Capella-target-local-rmBoth-X4.txt
1
link
far-X4/Capella-far-rmBoth-X4.txt->Capella-target-remote-rmBoth-X4.txt
1
create
Mintaka-target-local-rmTarget-X4.txt Mintaka-target-remote-rmTarget-X4.txt
1
link
Mintaka-near-rmTarget-X4.txt=>Mintaka-target-local-rmTarget-X4.txt
1
link
far-X4/Mintaka-far-rmTarget-X4.txt=>Mintaka-target-remote-rmTarget-X4.txt
1
create
Mizar-target-local-rmLink-X4.txt Mizar-target-remote-rmLink-X4.txt
1
link
Mizar-near-rmLink-X4.txt=>Mizar-target-local-rmLink-X4.txt
1
link
far-X4/Mizar-far-rmLink-X4.txt=>Mizar-target-remote-rmLink-X4.txt
1
create
Mimosa-target-local-rmBoth-X4.txt Mimosa-target-remote-rmBoth-X4.txt
1
link
Mimosa-near-rmBoth-X4.txt=>Mimosa-target-local-rmBoth-X4.txt
1
link
far-X4/Mimosa-far-rmBoth-X4.txt=>Mimosa-target-remote-rmBoth-X4.txt
1
mkdir
Leo-target-local-rmTarget-X4 Libra-target-local-rmLink-X4 Lynx-target-local-rmBoth-X4
1
create
Regulas-target-local-rmTarget-X4
1
create
Vega-target-local-rmLink-X4
1
create
Elvashak-target-local-rmBoth-X4
1
mkdir
Leo-target-remote-rmTarget-X4 Libra-target-remote-rmLink-X4 Lynx-target-remote-rmBoth-X4
1
create
Regulas-target-remote-rmTarget-X4
1
create
Vega-target-remote-rmLink-X4
1
create
Elvashak-target-remote-rmBoth-X4
1
link
Leo-near-rmTarget-X4=>Leo-target-local-rmTarget-X4
1
link
far-X4/Leo-far-rmTarget-X4=>Leo-target-remote-rmTarget-X4
1
link
Libra-near-rmLink-X4=>Libra-target-local-rmLink-X4
1
link
far-X4/Libra-far-rmLink-X4=>Libra-target-remote-rmLink-X4
1
link
Lynx-near-rmBoth-X4=>Lynx-target-local-rmBoth-X4
1
link
far-X4/Lynx-far-rmBoth-X4=>Lynx-target-remote-rmBoth-X4
2
delete
Canopus-target-local-rmTarget-X4.txt Canopus-target-remote-rmTarget-X4.txt
2
delete
Castor-near-rmLink-X4.txt Castor-far-rmLink-X4.txt
2
delete
Capella-target-local-rmBoth-X4.txt Capella-target-remote-rmBoth-X4.txt Capella-near-rmBoth-X4.txt
Capella-far-rmBoth-X4.txt
2
delete
Mintaka-target-local-rmTarget-X4.txt Mintaka-target-remote-rmTarget-X4.txt
2
delete
Mizar-near-rmLink-X4.txt Mizar-far-rmLink-X4.txt
2
delete
Mimosa-target-local-rmBoth-X4.txt Mimosa-target-remote-rmBoth-X4.txt Mimosa-near-rmBoth-X4.txt
Mimosa-far-rmBoth-X4.txt
2
delete
Leo-target-local-rmTarget-X4 Leo-target-remote-rmTarget-X4
2
delete
Libra-near-rmLink-X4 Libra-far-rmLink-X4
2
delete
Lynx-target-local-rmBoth-X4 Lynx-target-remote-rmBoth-X4 Lynx-near-rmBoth-X4 Lynx-far-rmBoth-
July 2014
Page 36 of 41
TSK 3.2.2/Autopsy 2.24
Objects Created for ext-14
Step
Operation
Files in Partition EXT2
X4
Step
Operation
No Files in Partition EXT3
Step
Operation
No Files in Partition EXT4
The Objects Created Table fat-14 lists by partition each object created for case FAT-14.
Objects Created for fat-14
Step
Operation
Files in Partition FAT12
1
create
fat12-file-df.txt
1
create
fat12-file-dl.txt
1
create
fat12-file-db.txt
1
link
fat12-shortcut-df.lnk->fat12-file-df.txt
1
link
fat12-shortcut-dl.lnk->fat12-file-dl.txt
1
link
fat12-shortcut-db.lnk->fat12-file-db.txt
2
delete
fat12-file-db.txt
2
delete
fat12-file-df.txt
2
delete
fat12-shortcut-db.lnk
2
delete
fat12-shortcut-dl.lnk
Step
Operation
Files in Partition FAT16
1
create
fat16-file-df.txt
1
create
fat16-file-dl.txt
1
create
fat16-file-db.txt
1
link
fat16-shortcut-df.lnk->fat16-file-df.txt
1
link
fat16-shortcut-dl.lnk->fat16-file-dl.txt
1
link
fat16-shortcut-db.lnk->fat16-file-db.txt
2
delete
fat16-file-db.txt
2
delete
fat16-file-df.txt
2
delete
fat16-shortcut-db.lnk
2
delete
fat16-shortcut-dl.lnk
Step
Operation
Files in Partition FAT32
1
create
fat32-file-df.txt
1
create
fat32-file-dl.txt
1
create
fat32-file-db.txt
1
link
fat32-shortcut-df.lnk->fat32-file-df.txt
1
link
fat32-shortcut-dl.lnk->fat32-file-dl.txt
1
link
fat32-shortcut-db.lnk->fat32-file-db.txt
2
delete
fat32-file-db.txt
2
delete
fat32-file-df.txt
2
delete
fat32-shortcut-db.lnk
2
delete
fat32-shortcut-dl.lnk
The Objects Created Table ntfs-14 lists by partition each object created for case NTFS-
14.
Objects Created for ntfs-14
Step
Operation
Files in Partition NTFS
1
create
shortcut-file-df.txt
1
create
hard-file-df.txt
1
create
symbolic-file-df.txt
1
create
stream-file-df.txt
1
link
shortcut-shortcut-df.lnk->shortcut-file-df.txt
1
link
hard-link-df.txt->hard-file-df.txt
1
link
symbolic-link-df.txt->symbolic-file-df.txt
1
create
stream-file-df.txt+Volga.txt
1
create
shortcut-file-dl.txt
1
create
hard-file-dl.txt
1
create
symbolic-file-dl.txt
1
create
stream-file-keep.txt
July 2014
Page 37 of 41
TSK 3.2.2/Autopsy 2.24
Objects Created for ntfs-14
Step
Operation
Files in Partition NTFS
1
link
shortcut-shortcut-dl.lnk->shortcut-file-dl.txt
1
link
hard-link-dl.txt->hard-file-dl.txt
1
link
symbolic-link-dl.txt->symbolic-file-dl.txt
1
create
stream-file-keep.txt+Watauga.txt
1
create
shortcut-file-db.txt
1
create
hard-file-db.txt
1
create
symbolic-file-db.txt
1
create
stream-dir.txt
1
link
shortcut-shortcut-db.lnk->shortcut-file-db.txt
1
link
hard-link-db.txt->hard-file-db.txt
1
link
symbolic-link-db.txt->symbolic-file-db.txt
1
create
stream-dir.txt+Nile.txt
2
delete
shortcut-file-db.txt
2
delete
shortcut-file-df.txt
2
delete
shortcut-shortcut-db.lnk
2
delete
shortcut-shortcut-dl.lnk
2
delete
hard-file-db.txt
2
delete
hard-file-df.txt
2
delete
hard-link-db.txt
2
delete
hard-link-dl.txt
2
delete
symbolic-file-db.txt
2
delete
symbolic-file-df.txt
2
delete
symbolic-link-db.txt
2
delete
symbolic-link-dl.txt
2
delete
stream-dir.txt
2
delete
stream-file-df.txt
The Available Metadata and File Block Summary gives a one row summary of the file
blocks and meta-data available for recovery for a test case.
Case: The test case identifier.
Deleted: The number of files created and then deleted.
Intact/Meta: The number of files with no blocks overwritten and metadata
available. All these files should be recoverable.
Partial/Meta: The number of files with some, but not all, blocks overwritten and
metadata available. However, only independently allocated blocks are counted.
None/Meta: The number of files with all blocks overwritten, but metadata
available. For NTFS file systems, blocks from small files may be contained within
the MFT and not counted here.
Intact/None: The number of files with no blocks overwritten and metadata
overwritten.
Partial/None: The number of files with some, but not all, blocks overwritten and
metadata overwritten.
None/None: The number of files with all blocks and metadata overwritten.
Case
Deleted
Intact/Meta
Partial/Meta
None/meta
Intact/None
Partial/None
None/None
ext-14
10
10
0
1
0
0
1
fat-14
12
9
0
0
3
0
0
ntfs-14
15
11
0
4
0
0
0
July 2014
Page 38 of 41
TSK 3.2.2/Autopsy 2.24
The Recovered File Analysis Summary gives a one-row summary of the files recovered
for a test case.
Case: The test case identifier.
Del: The number of deleted files. The notation k/j means k files created in j
directories.
Rec: The number of files recovered by the tool. This should be at least as many as
the Intact/Meta value from the table above.
SS: The number of deleted files that contributed blocks to the recovered files.
This will be discussed below when we have more data from the example.
First: The number of recovered files that contain the first block of the deleted file.
Full: The number of recovered files that are complete and accurate with no extra
blocks.
Match: The number of recovered files with a correctly matching name.
Sigma: The number of recovered files with a recovered name that matches except
for the first character. This is an artifact of some deleted files on FAT file systems
where the Greek ISO representation of the letter sigma (σ) replaces the first
character of the file name to indicate a deleted file.
Multi: The number of files with blocks from two or more deleted files. In other
words, files with blocks of data from different files recovered together into one
recovered file.
Other: The number of files recovered with unrecognized data blocks. This is
usually the case when a file is partially overwritten with file system metadata.
Active: The number of recovered files that include data blocks from active (not
deleted) files.
Seq: The number of recovered files with data blocks out of sequence.
Over: The number of files that are overwritten in the test case.
Ovf: The number of files that the tool reports as overwritten.
Recovered File Analysis Summary
Case
Del
Rec
SS
First
Full
Match
Sigma
Multi
Other
Active
Seq
Over
Ovf
ext-14
10
18
2
2
2
0
0
0
8
8
0
2
0
fat-14
12
12
6
6
6
6
0
0
6
0
0
0
0
ntfs-14
15
9
6
6
6
5
0
0
3
0
0
4
0
Content Analysis
Case
Content
Name
First
Blocks
Tail
Src
Shift
Seq
Other
dfr-ext-
14
Capella-target-local-rmBoth-
X4.txt
OrphanFile-16
1
7
0
1
0
0
0
Capella-target-remote-rmBoth-
X4.txt
OrphanFile-17
1
7
0
1
0
0
0
Mintaka-target-local-rmTarget-
X4.txt
OrphanFile-18
1
7
0
1
0
0
0
Mintaka-target-remote-
rmTarget-X4.txt
OrphanFile-19
1
7
0
1
0
0
0
Unknown
OrphanFile-23
0
0
0
1
0
0
1
Mimosa-target-local-rmBoth-
X4.txt
OrphanFile-24
1
7
0
1
0
0
0
Mimosa-target-remote-rmBoth-
X4.txt
OrphanFile-25
1
7
0
1
0
0
0
Unknown
OrphanFile-26
0
0
0
1
0
0
1
Unknown
OrphanFile-28
0
0
0
1
0
0
1
Unknown
OrphanFile-29
0
0
0
1
0
0
1
July 2014
Page 39 of 41
TSK 3.2.2/Autopsy 2.24
Content Analysis
Case
Content
Name
First
Blocks
Tail
Src
Shift
Seq
Other
Regulas-target-remote-
rmTarget-X4
OrphanFile-42842
1
7
0
1
0
0
0
Elvashak-target-remote-
rmBoth-X4
OrphanFile-46922
1
7
0
1
0
0
0
Unknown
OrphanFile-57123
0
0
0
1
0
0
1
Unknown
OrphanFile-57124
0
0
0
1
0
0
1
Unknown
OrphanFile-57126
0
0
0
1
0
0
1
Unknown
OrphanFile-57127
0
0
0
1
0
0
1
Elvashak-target-local-rmBoth-
X4
OrphanFile-63242
1
7
0
1
0
0
0
Regulas-target-local-rmTarget-
X4
OrphanFile-77522
1
7
0
1
0
0
0
dfr-fat-
14
fat12-file-db.txt
fat12-file-db.txt
1
7
0
1
0
0
0
fat12-file-df.txt
fat12-file-df.txt
1
7
0
1
0
0
0
Unknown
fat12-shortcut-
db.lnk
0
0
0
1
0
0
1
Unknown
fat12-shortcut-dl.lnk
0
0
0
1
0
0
1
fat16-file-db.txt
fat16-file-db.txt
1
7
0
1
0
0
0
fat16-file-df.txt
fat16-file-df.txt
1
7
0
1
0
0
0
Unknown
fat16-shortcut-
db.lnk
0
0
0
1
0
0
1
Unknown
fat16-shortcut-dl.lnk
0
0
0
1
0
0
1
fat32-file-db.txt
fat32-file-db.txt
1
7
0
1
0
0
0
fat32-file-df.txt
fat32-file-df.txt
1
7
0
1
0
0
0
Unknown
fat32-shortcut-
db.lnk
0
0
0
1
0
0
1
Unknown
fat32-shortcut-dl.lnk
0
0
0
1
0
0
1
dfr-ntfs-
14
hard-file-db.txt
hard-link-db.txt
1
7
0
1
0
0
0
shortcut-file-db.txt
shortcut-file-db.txt
1
7
0
1
0
0
0
shortcut-file-df.txt
shortcut-file-df.txt
1
7
0
1
0
0
0
Unknown
shortcut-shortcut-
db.lnk
0
0
0
1
0
0
1
Unknown
shortcut-shortcut-
dl.lnk
0
0
0
1
0
0
1
Unknown
stream-dir
0
0
0
1
0
0
1
stream-file-df.txt
stream-file-df.txt
1
7
0
1
0
0
0
symbolic-file-db.txt
symbolic-file-db.txt
1
7
0
1
0
0
0
symbolic-file-df.txt
symbolic-file-df.txt
1
7
0
1
0
0
0
Each row of the Recovered File Content Block Details table describes the source of
recovered file content.
Case: The test case identifier. The field is left blank after the first file for the
remaining files of the test case.
Name: The name of the recovered object.
Recovered Content: A list of data sources included in the recovered object. Each
entry is accompanied with the number of blocks included in the recovered object
and the size of the source object. The recovered object
Recovered File Content Block Details
Case
Name
Recovered Content
dfr-ext-14
OrphanFile-16
Capella-target-local-rmBoth-X4.txt(8 of 8)
OrphanFile-17
Capella-target-remote-rmBoth-X4.txt(8 of 8)
OrphanFile-18
Mintaka-target-local-rmTarget-X4.txt(8 is active)
OrphanFile-19
Mintaka-target-remote-rmTarget-X4.txt(8 is active)
OrphanFile-23
other(1)
July 2014
Page 40 of 41
TSK 3.2.2/Autopsy 2.24
Recovered File Content Block Details
Case
Name
Recovered Content
OrphanFile-24
Mimosa-target-local-rmBoth-X4.txt(8 is active)
OrphanFile-25
Mimosa-target-remote-rmBoth-X4.txt(8 is active)
OrphanFile-26
other(1)
OrphanFile-28
other(1)
OrphanFile-29
other(1)
OrphanFile-42842
Regulas-target-remote-rmTarget-X4(8 is active)
OrphanFile-46922
Elvashak-target-remote-rmBoth-X4(8 is active)
OrphanFile-57123
other(1)
OrphanFile-57124
other(1)
OrphanFile-57126
other(1)
OrphanFile-57127
other(1)
OrphanFile-63242
Elvashak-target-local-rmBoth-X4(8 is active)
OrphanFile-77522
Regulas-target-local-rmTarget-X4(8 is active)
dfr-fat-14
fat12-file-db.txt
fat12-file-db.txt(8 of 8)
fat12-file-df.txt
fat12-file-df.txt(8 of 8)
fat12-shortcut-db.lnk
other(1)
fat12-shortcut-dl.lnk
other(1)
fat16-file-db.txt
fat16-file-db.txt(8 of 8)
fat16-file-df.txt
fat16-file-df.txt(8 of 8)
fat16-shortcut-db.lnk
other(1)
fat16-shortcut-dl.lnk
other(1)
fat32-file-db.txt
fat32-file-db.txt(8 of 8)
fat32-file-df.txt
fat32-file-df.txt(8 of 8)
fat32-shortcut-db.lnk
other(1)
fat32-shortcut-dl.lnk
other(1)
dfr-ntfs-14
hard-link-db.txt
hard-file-db.txt(8 of 8)
shortcut-file-db.txt
shortcut-file-db.txt(8 of 8)
shortcut-file-df.txt
shortcut-file-df.txt(8 of 8)
shortcut-shortcut-db.lnk
other(1)
shortcut-shortcut-dl.lnk
other(1)
stream-dir
other(1)
stream-file-df.txt
stream-file-df.txt(8 of 8)
symbolic-file-db.txt
symbolic-file-db.txt(8 of 8)
symbolic-file-df.txt
symbolic-file-df.txt(8 of 8)
4.13 Mac File Systems HFS+ File Recovery
No files were recovered, but active files were listed, including non-Latin character file
names.
4.14 Listing Active Files
The Active Files and Folders Listed table summarizes by file system the active files and
folders listed by the tested tool.
Case: The test case identifier.
Files Active: The number of active files.
Files Listed: The number of files that the tested tool listed. This should match the
value in the Files Active column.
Folders Active: The number of active folders (directories).
Folders Listed: The number of folders (directories) that the tested tool listed. This
should match the value in the Folders Active column.
July 2014
Page 41 of 41
TSK 3.2.2/Autopsy 2.24
Active Files and Folders Listed
Case
Files Active
Files Listed
Folders Active
Folders Listed
dfr-ext-16
3066
2215
27
27
dfr-ext-17
135
90
135
99
dfr-fat-16
3066
3066
27
27
dfr-fat-17
135
135
135
135
dfr-ntfs-16
1022
1022
9
9
dfr-ntfs-17
45
45
45
45