Intella has the ability to recover deleted files and folders using information found in the Master File Table (MFT) or via File Carving.
What's the difference between File Carving and MFT-based File Recovery?
The Master File Table (MFT) is
the central repository for file record information in the NTFS file
system. Even when a file is deleted, its MFT record remains until it is
overwritten. Intella scans the MFT to locate records of deleted files
and restores them. This allows Intella to recover files with their
original file names, folder structure, metadata, and content.
File
carving, on the other hand, attempts to recover files by searching for
file headers and footers on the disk without relying on the file system
structures. This technique typically recovers files of the most common
types, often without file names or folder information.
Intella focuses primarily on MFT-based recovery. By leveraging information stored in the Master File Table (MFT), Intella can recover deleted files while preserving the original folder hierarchy and file names whenever that metadata is available. In addition, Intella supports file carving through integration with TestDisk and PhotoRec, enabling the recovery of deleted files from unallocated areas of a disk image when filesystem metadata is missing or incomplete.
File Recovery
The File Recovery Process
When Intella indexes a disk image, it will scan all the MFT entries. Any entries marked as unallocated will be reported as deleted items. For NTFS file systems, the allocation status of all the data blocks referred to by the MFT entry is analyzed. The entire content of the deleted file will be extracted if at least one unallocated data block is referred to by the MFT entry, or if the MFT entry has only resident data. In all other cases, only the metadata will be reported.
Intella categorizes recovered deleted items from a disk image into three types:
- Recovered entire file content: all the data blocks are unallocated, or the file has only resident data and the entire file content has been extracted.
- Recovered partial file content: some of the data blocks have already been allocated to other live files. The entire file content is still extracted, but some of the content will contain bytes belonging to other live files.
- File metadata only when recovery is not possible.
You can find these three types of recovered files in the "Recovered" category in the Features facet. Additionally, Intella provides a list of raw data field items for recovered file items such as:
- MFT Allocated
- MFT Resident
- MFT Deleted File - Total Blocks
- MFT Deleted File - Overwritten Blocks
- and MFT Deleted File - All Blocks Available
Using File Recovery
To use Intella's file recovery feature, you need to enable the "Recover
deleted emails, files, and Notes deletion stubs" option in the source
definition.
Recovered Items
Intella's file recovery feature recovers deleted items from a disk image and places them:
- In a special folder called <RECOVERED>.
- Any items outside the regular root folder are placed in a special folder called <ORPHAN ITEMS>.
File Carving
This feature allows investigators to find files based on their structure and signatures even when file system metadata is missing. Intella supports file carving from disk images and other raw data sources, enabling the recovery of files that have been deleted or reside in unallocated space by searching for specific file headers and footers.
For detailed instructions on enabling and configuring file carving during indexing, refer to the “File Carving” section of the User Manual for your specific product.
Considerations for Recovered Emails
It is important to note that recovered emails may contain traces of other emails. Orphan items may contain unreliable data, which may include pieces of the message body and message metadata from different emails. This can occur due to the way an email client caches message data in the email container.
By understanding how Intella's file recovery feature works, you can make the most of the tool and optimize your digital investigations.