Tuesday, August 3, 2010

Locating file fragments

When doing a forensic recovery one very important aspect is to log all actions so that they can be repeated. Recovering a file is reading a sequence of sectors, and many times they are in sequence, but not always. For the files that are out of sequence it is necessary to track each fragment / cluster.

The CnW log has a data column that records the number of fragments in a file. If this number in the log is clicked, each fragment (up to a maximum of 80) will be displayed as the starting sector, an sector run length. Abyone can then examine the original disk and establish how the file has been reconstructed.

No comments:

Post a Comment