Understanding Orphaned Files

I was sitting in an Intro to Forensics lecture recently (in my free time, I’m crazy I know) and was explaining orphaned files to a student so thought I’d just write some stuff down about it. The main point of the post was showing how to manually modify the MFT to create orphaned entries and what they look like in FTK Imager (V3.4.2.2). Nothing groundbreaking 🙂

The student wanted to know what the [orphan] section under the Volume was in FTK Imager and I created a couple VHDs to show him.

The VHD has a folder, ‘First Folder’, which contained a subfolder (and another subfolder). Afterwards, I deleted ‘First Folder’, which can be seen in the screenshot below.

deleted

As we can see, the folder has a Deleted icon, and because the record is still there, it’s still in its place in the MFT.

I then went to the MFT record in a hex editor and manually deleted the start of the record.

modification of file record

As a result, the record isn’t parsed. The other folders however still have valid, deleted, file records, but FTK doesn’t know where to put them.

FTK Imager (and other tools) will group these files and folders into the [orphan] virtual directory.

orphan

Trying to figure out where the folders originally existed is a problem for another day.

I have the VHDs if anyone wants to have a look at them. Hope someone finds this helpful 🙂

I found a good explanation of Orphaned Files here as well as a paper by AccessData. And for more information about the $MFT, check out Matt’s post on NTFS, and of course Brian Carrier’s book.

9 comments

  1. It’s a bit weird that the tool doesn’t differentiate the orphaned files based on their parent ids at least. Or does it?
    When I wrote RecuperaBit, one of the most obvious thing that came to my mind was something like: if “Second Folder” has a parent with id 27, but I don’t have any file record matching that value, I will create a ghost directory called Dir_27 and put only files whose parent is 27 there.
    This way orphaned files do not all end in the same place, but at least they are a bit organized.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s