Intella is a powerful tool used for digital forensic analysis, eDiscovery, and investigation. One of its key features is the ability to recover deleted files and folders using information found in the Master File Table (MFT). Intella does not perform file carving and relies solely on the MFT to recover deleted files.
Enabling File Recovery
To use Intella's file recovery feature, you need to enable the "Recover deleted emails, files, and Notes deletion stubs" option in the source definition.
File Recovery Process
When Intella indexes a disk image, it will scan all the MFT entries. Any entries marked as unallocated will be reported as deleted items. For NTFS file systems, the allocation status of all the data blocks referred to by the MFT entry is analyzed. The entire content of the deleted file will be extracted if at least one unallocated data block is referred to by the MFT entry, or if the MFT entry has only resident data. In all other cases, only the metadata will be reported.
Intella categorizes recovered deleted items from a disk image into three types:
- Recovered entire file content: all the data blocks are unallocated, or the file has only resident data and the entire file content has been extracted.
- Recovered partial file content: some of the data blocks have already been allocated to other live files. The entire file content is still extracted, but some of the content will contain bytes belonging to other live files.
- File metadata only when recovery is not possible.
You can find these three types of recovered files in the "Recovered" category in the Features facet. Additionally, Intella provides a list of raw data field items for recovered file items such as MFT Allocated, MFT Resident, MFT Deleted File - Total Blocks, MFT Deleted File - Overwritten Blocks, and MFT Deleted File - All Blocks Available.
Recovered Items
Intella's file recovery feature recovers deleted items from a disk image and places them:
- In a special folder called <RECOVERED>.
- Any items outside the regular root folder are placed in a special folder called <ORPHAN ITEMS>.
Considerations for Recovered Emails
It is important to note that recovered emails may contain traces of other emails. Orphan items may contain unreliable data, which may include pieces of the message body and message metadata from different emails. This can occur due to the way an email client caches message data in the email container.
By understanding how Intella's file recovery feature works, you can make the most of the tool and optimize your digital investigations.