Solution 1)
From a command prompt:
dir /X
This will list your files or folders in short name format. Then use the short name exactly as written to delete the file:
del LONGFI~1.txt
you are done! :)
Solution 2)
Try this in a Command Prompt.
rd /s first_part_of_subdirectory_name
e.g. if the file is called "C:\temp\Files\verylongfilenames.ext"
rd /s C:\temp\Files
Friday, November 8, 2013
Monday, October 28, 2013
What is Encase "Lost Files" folder
This was posted by Jeffery Misner. I want to give credit for the source.
What is the Lost Files folder?
EnCase has a different method (compared to FAT) for recovering deleted files and folders with NTFS evidence files. When you add an NTFS Evidence file to EnCase, you will notice a folder added automatically to the evidence file in the case view called "Lost Files." In the MFT (Master File Table) in NTFS, all files and folders are marked as a folder or file, and are associated to a "parent."
Suppose you have a folder contain many files. Those files are its "children." For those files to become "lost," you delete them along with the folder itself. You then create a new folder. The entry in the MFT for the old folder is overwritten. So the original "parent" folder and its entry in the MFT are gone. But it's "children," while deleted, have not been overwritten, and their entries are still in the MFT. EnCase can then tell what those files are, but there is no longer any record of what folder those files were in. Because of this, all those files (without parent folders anymore) are lumped into the "Lost Files" folder that EnCase creates and places in the Entries view so that you can see those files.
That is different from the recover folders feature, btw. Also note that Lost Files only appear for NTFS volumes since FAT does not work the same way.
Note: There is no way you can see those deleted files without using specialized software like EnCase.
Original source link : http://www.forensicfocus.com/Forums/viewtopic/t=2718/
What is the Lost Files folder?
EnCase has a different method (compared to FAT) for recovering deleted files and folders with NTFS evidence files. When you add an NTFS Evidence file to EnCase, you will notice a folder added automatically to the evidence file in the case view called "Lost Files." In the MFT (Master File Table) in NTFS, all files and folders are marked as a folder or file, and are associated to a "parent."
Suppose you have a folder contain many files. Those files are its "children." For those files to become "lost," you delete them along with the folder itself. You then create a new folder. The entry in the MFT for the old folder is overwritten. So the original "parent" folder and its entry in the MFT are gone. But it's "children," while deleted, have not been overwritten, and their entries are still in the MFT. EnCase can then tell what those files are, but there is no longer any record of what folder those files were in. Because of this, all those files (without parent folders anymore) are lumped into the "Lost Files" folder that EnCase creates and places in the Entries view so that you can see those files.
That is different from the recover folders feature, btw. Also note that Lost Files only appear for NTFS volumes since FAT does not work the same way.
Note: There is no way you can see those deleted files without using specialized software like EnCase.
Original source link : http://www.forensicfocus.com/Forums/viewtopic/t=2718/
Thursday, September 26, 2013
How to get hard drive serial number from command line on Windows computer?
Get the Manufacturers serial number of the hard drive.
C:\>wmic diskdrive get serialnumber
Get the volume serial number:
C:\>vol C:
C:\>wmic diskdrive get serialnumber
Get the volume serial number:
C:\>vol C:
Get Drive Info:
C:>wmic diskdrive list brief
Get service tag report:
C:>wmic csproduct get name,vendor,identifyingNumber
Determine when Windows was installed on a computer
C:\>wmic OS Get InstallDate
InstallDate
20091204171103.000000+480
You can easly read the above output adding the relevant markup: 2011-02-14 13:36:58
The install date is stored in the registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate as UNIX time
(32-bit value containing the number of seconds since 1/1/1970).
For more info get it at :
http://blogs.technet.com/b/askperf/archive/2012/02/17/useful-wmic-queries.aspx
http://theinterw3bs.com/wiki/index.php?title=WMIC_Commands
http://travisaltman.com/one-liner-commands-for-windows-cheat-sheet/
C:>wmic diskdrive list brief
Get service tag report:
C:>wmic csproduct get name,vendor,identifyingNumber
Determine when Windows was installed on a computer
C:\>wmic OS Get InstallDate
InstallDate
20091204171103.000000+480
You can easly read the above output adding the relevant markup: 2011-02-14 13:36:58
The install date is stored in the registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate as UNIX time
(32-bit value containing the number of seconds since 1/1/1970).
For more info get it at :
http://blogs.technet.com/b/askperf/archive/2012/02/17/useful-wmic-queries.aspx
http://theinterw3bs.com/wiki/index.php?title=WMIC_Commands
http://travisaltman.com/one-liner-commands-for-windows-cheat-sheet/
Monday, April 1, 2013
MS Outlook Data File (*.pst) Location in NTUSER.DAT
MS Outlook Data file (*.pst) location in NTUSER.DAT
HKEY_CURRENT_USER\Software\Microsoft\Office\[versionNumber]\Outlook\Catalog
Sample:
MS Outlook 2007
HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Outlook\Catalog
MS Outlook 2010
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Search
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Search\Catalog
Other Location:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\PST
HKEY_CURRENT_USER\Software\Microsoft\Office\[versionNumber]\Outlook\Catalog
Sample:
MS Outlook 2007
HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Outlook\Catalog
MS Outlook 2010
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Search
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Search\Catalog
Other Location:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\PST
Friday, March 22, 2013
EnCase Date Formats:
Encase reports these dates in the following manner as below:-
Windows "File Created" = EnCase “File Created”
Windows "File Modified" = Encase “Last Written”
Windows "File Accessed" = EnCase “Last Accessed”
Windows "MTF last written" = Encase “Entry Modified”
Windows "INFO2 file deleted date/time" = Encase "File Deleted"
Source URL:
http://whereismydata.wordpress.com/2009/04/10/forensics-what-does-entry-modified-mean-in-encase/
http://whereismydata.wordpress.com/2009/02/14/dates-ntfs-created-modified-accessed-written/
https://whereismydata.wordpress.com/tag/entry-modified/
Windows "File Created" = EnCase “File Created”
Windows "File Modified" = Encase “Last Written”
Windows "File Accessed" = EnCase “Last Accessed”
Windows "MTF last written" = Encase “Entry Modified”
Windows "INFO2 file deleted date/time" = Encase "File Deleted"
Source URL:
http://whereismydata.wordpress.com/2009/04/10/forensics-what-does-entry-modified-mean-in-encase/
http://whereismydata.wordpress.com/2009/02/14/dates-ntfs-created-modified-accessed-written/
https://whereismydata.wordpress.com/tag/entry-modified/
Subscribe to:
Posts (Atom)