I was sitting in an Intro to Forensics lecture recently (in my free time, I’m crazy I know) and was explaining orphaned files to a student so thought I’d just write some stuff down about it. The main point of the post was showing how to manually modify the MFT to create orphaned entries and what they look like in FTK Imager (V220.127.116.11). Nothing groundbreaking 🙂
The student wanted to know what the [orphan] section under the Volume was in FTK Imager and I created a couple VHDs to show him.
The VHD has a folder, ‘First Folder’, which contained a subfolder (and another subfolder). Afterwards, I deleted ‘First Folder’, which can be seen in the screenshot below.
As we can see, the folder has a Deleted icon, and because the record is still there, it’s still in its place in the MFT.
I then went to the MFT record in a hex editor and manually deleted the start of the record.
As a result, the record isn’t parsed. The other folders however still have valid, deleted, file records, but FTK doesn’t know where to put them.
FTK Imager (and other tools) will group these files and folders into the [orphan] virtual directory.
Trying to figure out where the folders originally existed is a problem for another day.
I have the VHDs if anyone wants to have a look at them. Hope someone finds this helpful 🙂