View filenames of deleted and overwritten files?

[Throckmorton]

I have an NTFS partition where I want to view a list of files that have been deleted and overwritten. I don't want to recover the files, just view a list of filenames. Is that possible? Are they stored in the $MFT? What about $LogFile?

GetDataBack doesn't list any deleted files

 

[FelixDeCat]

Recova reveals file names of even scrubbed data if still available. It is free here :

http://www.piriform.com/RECUVA

Use a deep scan.

 

[razel]

Recuva is a good one. Another one, that is fast, since you're only interested in viewing names of deleted files is KillDisk. It is a utility desinged to zero drives, but it is so good at viewing sectors, tiny almost hidden partitions and deleted files. It is very fast at displaying them.

 

[Throckmorton]

Thanks, I'm trying Recuva.

I set it to show overwritten files, 0 byte files, and to deep scan. But it only lists the files that are recoverable, and then it ignores a lot. But even the number of files it ignores is a lot fewer than it should be.

I guess I'll try KillDisk next

 

[Throckmorton]

KillDisk can't even see the partition be because it's in a Truecrypt file container. I can't find any way to force it to list the "drive"

 

[Throckmorton]

Apparently Encase can parse $LogFile but I don't know how many actions are stored in there. Thousands? Millions? I probably need at least 100000

 

[taltamir]

As far as I know only 2 possible ways exist to find the names of deleted files on an NTFS partition:
1. Find them in the journal (it is a journaling FS)
2. Find their data which hasn't been overwritten yet.

#2 is straight out if you know it has been overwritten (secure erased?). #1 is really difficult as you saw for yourself.

Digging further into #1...
According to
http://www.ibm.com/developerworks/linux/library/l-journaling-filesystems/
The journal is a circular buffer which gets committed to the FS on regular intervals. So it shouldn't have millions of operations listed, in fact it might very well not have the ones you want if they had already flushed. (which is good, I would be rather concerned if you could effectively retrieve information that has been secure erased)

http://technet.microsoft.com/en-us/library/cc781134(v=WS.10).aspx

The total size of all the records currently in the journal varies, but there is a configurable maximum size. The change journal can exceed the maximum size until the size reaches an outer threshold, at which point a portion of the oldest records are deleted until the change journal is restored to its maximum size. The maximum size of the change journal is configurable but cannot be reduced, only increased.

 

[Throckmorton]

The journal is in $LogFile right? Seems like only Encase can read and parse it

 

[taltamir]

The journal is in $LogFile right?

Yes, there is also a second feature with a similar name https://en.wikipedia.org/wiki/NTFS#USN_Journal