# Finding evidence of a deleted file

Finding evidence of a deleted may be one of the important processes in digital forensics. sometimes you cannot retrieve a deleted files because it's overwritten on the disk however you can still find evidence that it once existed.

### What is MFT (Master File Record) ?

Master File Table (MFT) is a crucial file in the NTFS file system that maintains records of all files in a volume, including their directory location, physical storage location, and metadata such as creation dates, access dates, and file size. 

{% embed url="<https://www.sciencedirect.com/topics/computer-science/master-file-table>" %}

So, NTFS stores data about data, a file may be deleted and overwritten (which means it cannot be recovered) but it's record may be still available in MFT.

### Let's begin our practical part

#### Step 1: I created a file named important.txt for demonstration and I put some text inside it then I deleted it

<figure><img src="/files/qo7nrmiwtJgsFr98jUQo" alt=""><figcaption></figcaption></figure>

#### Step 2: Creating a KAPE triage for the system

instead of creating a full disk image, for demonstration I took a KAPE triage of the system to find the most forensically relevant artifacts (this will include $MFT file which is the master file table file)

<figure><img src="/files/WTlr2pTSjcv8axsUd5aa" alt=""><figcaption></figcaption></figure>

#### Step 3: parsing the $MFT file using Eric Zimmerman tool MFTECmd

<figure><img src="/files/YulcJejrCew5MLuZouTS" alt=""><figcaption></figcaption></figure>

This will produce a CSV file contains MFT records, you can open the file with any tool that can read CSV files, I personally recommend Microsoft Excel or Eric Zimmerman tool MFTExplorer

#### Step 4: opening the file with Microsoft Excel

<figure><img src="/files/aIasSlQAgBX6BJd3Px2j" alt=""><figcaption></figcaption></figure>

Alot of data which is not useful for manual analysis so I will filter by InUse attribute which indicates whether a file is deleted (False) or still resident on disk (True) and for demonstration I will also filter by file extension to see only (.txt) files.

<figure><img src="/files/VHAu10MNRFwE7qCOmSUw" alt=""><figcaption></figcaption></figure>

Unfortunately, our file important.txt doesn't show on MFT records, what does that mean? the file is overwritten, and it's also deleted from the MFT, however this will not be the case in a real-world environment because I'm working on a VM machine with a limited disk space so the chance that a deleted file may be overwritten also in MFT records is high.

### Is that everything we have?

The answer is no; there is still another method to find evidence of a deleted file, which is the USN journal.

### What is USN (Update Sequence Number) journal?

The USN Journal (Update Sequence Number Journal), or Change Journal, is a feature of the Windows NT file system (NTFS) which maintains a record of changes made to the volume.

{% embed url="<https://en.wikipedia.org/wiki/USN_Journal>" %}

The USN Journal logs every change, such as file creation, modification, deletion, and renaming, along with the timestamp of the event and other metadata, for a purpose of backups, synchronization, indexing and more.

So, there is a chance that we could find our file in the USN journal however it's deleted from the MFT.

### Let's begin our practical part

#### Step 1: parsing the USN journal files using Eric Zimmerman tool MFTECmd

&#x20;the file that we are interested in is located in $Extend folder in the KAPE triage and named $J, the `$J` file contains the change journal data that logs various file system events, such as file creations, deletions, modifications, and renames. Each record in the `$J` file includes a USN (a unique identifier for each entry), the reason for the change, the timestamp of the change, and other relevant metadata.

<figure><img src="/files/GbAHoXJCMQziNwBvOs2n" alt=""><figcaption></figcaption></figure>

#### Step 2:  let's open the csv file to investigate USN journal records

<figure><img src="/files/9F6eZmS6jTs4xj3779BE" alt=""><figcaption></figcaption></figure>

And here is the file alongside with some useful information such as when the file was created, renamed, deleted and the MFT Entry number.

### An additional step we can see the entry number of the file in the MFT records

Now that we have the MFT entry number for important\_file.txt, let's search for that number in the MFT table to see what results we obtain.

<figure><img src="/files/Wdgq2kVEcC0oTNS2i42y" alt=""><figcaption></figcaption></figure>

by searching with the MFT entry number, which is 100722, I found another file named usbstor.PNF which I believe it's a file related to windows registry.

So what does that mean? Typically, this means that our file is overwritten after it was deleted and this is the new file that replaced it in the MFT Records.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://0xk3rypton.gitbook.io/0xk3rypt0n-blog/digital-forensics/articles/finding-evidence-of-a-deleted-file.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.