其中 $I 的文件中 的檔案格式 會記載著 檔案遭刪除的時間
詳細如 https://www.csee.umbc.edu/courses/undergraduate/FYS102D/Recycle.Bin.Forensics.for.Windows7.and.Windows.Vista.pdf
At offset 0x10 is the hexadecimal value
D0 DD 76 3C 2B A9 C8 01
Machor explains that this is the time at which the file was deleted (represented as an offset from January 1,
1601, and expressed in 100 nanoseconds).6 Since this is a number in Little Endian format, one converts it to Big Endian and gets this result
01 C8 A9 2B 3C 76 DD D0
Converting this hexadecimal value to a decimal value (again, by using a conversion calculator) we get the number 128,538,592,543,170,000. Machor states that this number is the time the file was deleted, but expressed as the number of 100 nano-seconds from January 1, 1601. To convert this number to a more usable size, one multiplies the number by 100 (to convert it from 100 nano-seconds to nano-seconds) and then divides it by 1,000,000,000 to convert it from nano-seconds to seconds.
To calculate the exact time and date at which the file was deleted, one just needs to add the result of the calculation, 12,853,859,254.3170 seconds, to January 1, 1601. Fortunately, the WinHex tool does this calculation. The resulting date and time is 4/28/2008, 12:27:34 (in 24 hour notation), expressed in Universal Coordinated Time (UTC).
2.萬一 很不幸的事情發生在於如果對方是使用 shift + delete 或是 $I 檔案已經遭到毀損,則需要查看 NTFS 下的 journal 檔案 詳細 如 :
3.如果使用奇怪的軟體刪除,如何查看刪除之方式,及 刪除之方法。
1.如何查看 是否有使用過奇怪的軟體
2.刪除軟體所留下來的足跡要如何查詢
3.軟體刪除後等等相關檔案。
沒有留言:
張貼留言