Режим Компьютерно-Технической (Криминалистической) Экспертизы |
Обратите внимание: Данный режим имеется только в версии Technician (Техническая Лицензия)! В этом режиме R-Studio создает специальный отчет по собранным данным для предоставления на слушаниях в суде. В отчет включена информация о конфигурации компьютера, используемого для сбора данных, и MD5 для восстановленных файлов. Обратите внимание: Каждый раз при изменении аппаратной конфигурации компьютера (подключение/отключение жесткого диска, внешнего USB устройства и т.д.) будет создаваться новый отчет. Чтобы включить данный режим Каждый раз при восстановлении файлов будет открываться диалоговое окно Forensic Log Settings . Введите необходимую информацию и нажмите кнопку OK , после чего вы перейдете к диалоговому окну Восстановить . При восстановлении файла R-Studio создаст специальный отчет по собранным данным в заданной папке. Ниже приведен пример данного отчета. ******************************** Forensic Data Collection Audit Log ********************************
R-STUDIO network edition Build 130041/Jan 8 2010
Case Name: Steven v. Christofer Case Number: 28-S-0205-CR-85763 Operator / Investigator Name: J.F. Lewson
**************************************** Drives Information ****************************************
- Drive Number 0 --------------------------------- * Drive Type [256 bytes]: Computer,Local Computer * Name [30 bytes]: Local Computer * OS [84 bytes]: Windows XP Pro Build 2600, Service Pack 3 * System [122 bytes]: 1 x Intel(R) Pentium(R) 4 CPU 1.80GHz, 1817 MHz, 1023 MB RAM
- Drive Number 2 --------------------------------- * Drive Type [256 bytes]: * Name [40 bytes]: ASUSDRW-0402P/D1.05 + Device Identification [4 bytes]: * Vendor [32 bytes]: ASUS * Product [64 bytes]: DRW-0402P/D * Firmware [16 bytes]: 1.05 + SCSI Address [4 bytes]: * Port Number [1 bytes]: 1 * Path Id [1 bytes]: 0 * Target Id [1 bytes]: 0 * Lun [1 bytes]: 0
- Drive Number 4 --------------------------------- * Drive Type [256 bytes]: * Name [48 bytes]: PromiseRAID Console1.00 + Device Identification [4 bytes]: * Vendor [32 bytes]: Promise * Product [64 bytes]: RAID Console * Firmware [16 bytes]: 1.00 + SCSI Address [4 bytes]: * Port Number [1 bytes]: 3 * Path Id [1 bytes]: 0 * Target Id [1 bytes]: 7 * Lun [1 bytes]: 0
- Drive Number 5 --------------------------------- * Drive Type [256 bytes]: Physical Drive,Disk * Name [28 bytes]: ST380215A3.AA * OS Object [38 bytes]: \\.\PhysicalDrive0 * R-Studio Driver [44 bytes]: WinNT\Handle\Physical * Size [8 bytes]: 74 Gb (156301488 sec) * Sector Size [4 bytes]: 512 b * Partition Size [8 bytes]: 74 Gb (156301488 sec) # I/O Tries [4 bytes]: Default + Drive Control [4 bytes]: # Maximum Transfer [4 bytes]: 131072 # I/O Unit [4 bytes]: 512 # Buffer Alignment [4 bytes]: 2 + Physical Drive Geometry [4 bytes]: * Cylinders [8 bytes]: 9729 * Tracks Per Cylinder [4 bytes]: 255 * Sectors Per Track [4 bytes]: 63 * Sector Size [4 bytes]: 512 b + Device Identification [4 bytes]: * Vendor [32 bytes]: ST380215 * Product [64 bytes]: A * Firmware [16 bytes]: 3.AA + SCSI Address [4 bytes]: * Port Number [1 bytes]: 0 * Path Id [1 bytes]: 0 * Target Id [1 bytes]: 0 * Lun [1 bytes]: 0 * Bus Type [4 bytes]: IDE/ATA
- Drive Number 6 --------------------------------- * Drive Type [256 bytes]: Physical Drive,Disk * Name [48 bytes]: QUANTUMFIREBALL EL5A08. * OS Object [38 bytes]: \\.\PhysicalDrive1 * R-Studio Driver [44 bytes]: WinNT\Handle\Physical * Size [8 bytes]: 4892 Mb (10018890 sec) * Sector Size [4 bytes]: 512 b * Partition Size [8 bytes]: 4892 Mb (10018890 sec) # I/O Tries [4 bytes]: Default + Drive Control [4 bytes]: # Maximum Transfer [4 bytes]: 65536 # I/O Unit [4 bytes]: 512 # Buffer Alignment [4 bytes]: 2 + Physical Drive Geometry [4 bytes]: * Cylinders [8 bytes]: 623 * Tracks Per Cylinder [4 bytes]: 255 * Sectors Per Track [4 bytes]: 63 * Sector Size [4 bytes]: 512 b + Device Identification [4 bytes]: * Vendor [32 bytes]: QUANTUM * Product [64 bytes]: FIREBALL EL5 * Firmware [16 bytes]: A08. + SCSI Address [4 bytes]: * Port Number [1 bytes]: 2 * Path Id [1 bytes]: 0 * Target Id [1 bytes]: 0 * Lun [1 bytes]: 0 * Bus Type [4 bytes]: IDE/ATA
- Drive Number 7 --------------------------------- * Drive Type [256 bytes]: Physical Drive,Disk * Name [36 bytes]: IOMEGAZIP 25032.G * OS Object [38 bytes]: \\.\PhysicalDrive2 * R-Studio Driver [44 bytes]: WinNT\Handle\Physical * Size [8 bytes]: 239 Mb (489532 sec) * Sector Size [4 bytes]: 512 b * Partition Size [8 bytes]: 239 Mb (489532 sec) # I/O Tries [4 bytes]: Default + Drive Control [4 bytes]: # Maximum Transfer [4 bytes]: 32768 # I/O Unit [4 bytes]: 512 # Buffer Alignment [4 bytes]: 4096 + Physical Drive Geometry [4 bytes]: * Cylinders [8 bytes]: 30 * Tracks Per Cylinder [4 bytes]: 255 * Sectors Per Track [4 bytes]: 63 * Sector Size [4 bytes]: 512 b + Device Identification [4 bytes]: * Vendor [32 bytes]: IOMEGA * Product [64 bytes]: ZIP 250 * Firmware [16 bytes]: 32.G * Bus Type [4 bytes]: USB
- Drive Number 8 --------------------------------- * Drive Type [256 bytes]: Physical Drive,Disk * Name [52 bytes]: USB 2.0Storage Device0100 * OS Object [38 bytes]: \\.\PhysicalDrive3 * R-Studio Driver [44 bytes]: WinNT\Handle\Physical * Size [8 bytes]: 37 Gb (78242976 sec) * Sector Size [4 bytes]: 512 b * Partition Size [8 bytes]: 37 Gb (78242976 sec) # I/O Tries [4 bytes]: Default + Drive Control [4 bytes]: # Maximum Transfer [4 bytes]: 32768 # I/O Unit [4 bytes]: 512 # Buffer Alignment [4 bytes]: 4096 + Physical Drive Geometry [4 bytes]: * Cylinders [8 bytes]: 4870 * Tracks Per Cylinder [4 bytes]: 255 * Sectors Per Track [4 bytes]: 63 * Sector Size [4 bytes]: 512 b + Device Identification [4 bytes]: * Vendor [32 bytes]: USB 2.0 * Product [64 bytes]: Storage Device * Firmware [16 bytes]: 0100 * Bus Type [4 bytes]: USB
- Drive Number 9 --------------------------------- * Drive Type [256 bytes]: Volume,Disk * Name [6 bytes]: F: * Mount Points [8 bytes]: F:\ * OS Object [98 bytes]: \\?\Volume{fc67c7f4-d459-11de-8468-0004e2378b92} * R-Studio Driver [42 bytes]: WinNT\Handle\Logical * Size [8 bytes]: 1780 Mb (3646628 sec) * Sector Size [4 bytes]: 512 b * Partition Offset [8 bytes]: 63 Kb (126 sec) * Partition Size [8 bytes]: 1780 Mb (3646628 sec) * Partition Number [4 bytes]: 1 * Partition Type [256 bytes]: NTFS/HPFS + NTFS Information [4 bytes]: * Cluster Size [4 bytes]: 2048 b (4 sec) * MFT Record Size [4 bytes]: 1024 b * MFT Position [8 bytes]: 12288 b (24 sec) * MFT Mirror Position [8 bytes]: 302 Kb (604 sec) * Index Block Size [4 bytes]: 4096 b * Sector Size [4 bytes]: 512 b * Volume Size [8 bytes]: 1780 Mb (3646624 sec) # I/O Tries [4 bytes]: Default + Drive Control [4 bytes]: # Maximum Transfer [4 bytes]: 65536 # I/O Unit [4 bytes]: 512 # Buffer Alignment [4 bytes]: 2 + Physical Drive Geometry [4 bytes]: * Cylinders [8 bytes]: 623 * Tracks Per Cylinder [4 bytes]: 255 * Sectors Per Track [4 bytes]: 63 * Sector Size [4 bytes]: 512 b + SCSI Address [4 bytes]: * Port Number [1 bytes]: 2 * Path Id [1 bytes]: 0 * Target Id [1 bytes]: 0 * Lun [1 bytes]: 0 * Bus Type [4 bytes]: IDE/ATA
- Drive Number 10 -------------------------------- * Drive Type [256 bytes]: Volume,Disk * Name [6 bytes]: G: * Mount Points [8 bytes]: G:\ * OS Object [98 bytes]: \\?\Volume{91268e18-d46f-11de-b297-806d6172696f} * R-Studio Driver [42 bytes]: WinNT\Handle\Logical * Size [8 bytes]: 1270 Mb (2602466 sec) * Sector Size [4 bytes]: 512 b * Partition Offset [8 bytes]: 1780 Mb (3646818 sec) * Partition Size [8 bytes]: 1270 Mb (2602466 sec) * Partition Number [4 bytes]: 2 * Partition Type [256 bytes]: FAT32 + FAT Information [4 bytes]: * FAT Bits (12,16,32) [4 bytes]: 32 * Cluster Size [4 bytes]: 4096 b (8 sec) * First Cluster Offset [8 bytes]: 2548 Kb (5096 sec) * Root Directory Cluster [4 bytes]: 2 * First FAT Offset [8 bytes]: 19456 b (38 sec) * Size of One FAT Table [8 bytes]: 1268 Kb (2537 sec) * Number of FAT Copies [4 bytes]: 2 # Active FAT copy [4 bytes]: Auto * Sector Size [4 bytes]: 512 b * Major Version [1 bytes]: 0 * Minor Version [1 bytes]: 0 * Volume Size [8 bytes]: 1270 Mb (2602466 sec) # I/O Tries [4 bytes]: Default + Drive Control [4 bytes]: # Maximum Transfer [4 bytes]: 65536 # I/O Unit [4 bytes]: 512 # Buffer Alignment [4 bytes]: 2 + Physical Drive Geometry [4 bytes]: * Cylinders [8 bytes]: 623 * Tracks Per Cylinder [4 bytes]: 255 * Sectors Per Track [4 bytes]: 63 * Sector Size [4 bytes]: 512 b + SCSI Address [4 bytes]: * Port Number [1 bytes]: 2 * Path Id [1 bytes]: 0 * Target Id [1 bytes]: 0 * Lun [1 bytes]: 0 * Bus Type [4 bytes]: IDE/ATA
- Drive Number 11 -------------------------------- * Drive Type [256 bytes]: Volume,Disk * Name [6 bytes]: H: * Mount Points [8 bytes]: H:\ * OS Object [98 bytes]: \\?\Volume{91268e19-d46f-11de-b297-806d6172696f} * R-Studio Driver [42 bytes]: WinNT\Handle\Logical * Size [8 bytes]: 1796 Mb (3678821 sec) * Sector Size [4 bytes]: 512 b * Partition Offset [8 bytes]: 3051 Mb (6249348 sec) * Partition Size [8 bytes]: 1796 Mb (3678821 sec) * Partition Number [4 bytes]: 3 * Partition Type [256 bytes]: FAT16 (big) + FAT Information [4 bytes]: * FAT Bits (12,16,32) [4 bytes]: 16 * Cluster Size [4 bytes]: 32 Kb (64 sec) * First Cluster Offset [8 bytes]: 178 Kb (356 sec) * Root Directory Offset [8 bytes]: 231424 * Root Directory Length [4 bytes]: 16384 b * First FAT Offset [8 bytes]: 1024 b (2 sec) * Size of One FAT Table [8 bytes]: 112 Kb (225 sec) * Number of FAT Copies [4 bytes]: 2 # Active FAT copy [4 bytes]: Auto * Sector Size [4 bytes]: 512 b * Major Version [1 bytes]: 0 * Minor Version [1 bytes]: 0 * Volume Size [8 bytes]: 1796 Mb (3678821 sec) # I/O Tries [4 bytes]: Default + Drive Control [4 bytes]: # Maximum Transfer [4 bytes]: 65536 # I/O Unit [4 bytes]: 512 # Buffer Alignment [4 bytes]: 2 + Physical Drive Geometry [4 bytes]: * Cylinders [8 bytes]: 623 * Tracks Per Cylinder [4 bytes]: 255 * Sectors Per Track [4 bytes]: 63 * Sector Size [4 bytes]: 512 b + SCSI Address [4 bytes]: * Port Number [1 bytes]: 2 * Path Id [1 bytes]: 0 * Target Id [1 bytes]: 0 * Lun [1 bytes]: 0 * Bus Type [4 bytes]: IDE/ATA
- Drive Number 12 -------------------------------- * Drive Type [256 bytes]: Volume,Disk * Name [6 bytes]: C: * Mount Points [8 bytes]: C:\ * OS Object [98 bytes]: \\?\Volume{a380f9d0-c3d6-11de-967c-806d6172696f} * R-Studio Driver [42 bytes]: WinNT\Handle\Logical * Size [8 bytes]: 21634 Mb (44307206 sec) * Sector Size [4 bytes]: 512 b * Partition Offset [8 bytes]: 32256 b (63 sec) * Partition Size [8 bytes]: 21634 Mb (44307206 sec) * Partition Number [4 bytes]: 1 * Partition Type [256 bytes]: NTFS/HPFS + NTFS Information [4 bytes]: * Cluster Size [4 bytes]: 4096 b (8 sec) * MFT Record Size [4 bytes]: 1024 b * MFT Position [8 bytes]: 624 Mb (1279424 sec) * MFT Mirror Position [8 bytes]: 1161 Mb (2378048 sec) * Index Block Size [4 bytes]: 4096 b * Sector Size [4 bytes]: 512 b * Volume Size [8 bytes]: 21634 Mb (44307200 sec) # I/O Tries [4 bytes]: Default + Drive Control [4 bytes]: # Maximum Transfer [4 bytes]: 131072 # I/O Unit [4 bytes]: 512 # Buffer Alignment [4 bytes]: 2 + Physical Drive Geometry [4 bytes]: * Cylinders [8 bytes]: 9729 * Tracks Per Cylinder [4 bytes]: 255 * Sectors Per Track [4 bytes]: 63 * Sector Size [4 bytes]: 512 b + SCSI Address [4 bytes]: * Port Number [1 bytes]: 0 * Path Id [1 bytes]: 0 * Target Id [1 bytes]: 0 * Lun [1 bytes]: 0 * Bus Type [4 bytes]: IDE/ATA
- Drive Number 13 -------------------------------- * Drive Type [256 bytes]: Volume,Disk * Name [6 bytes]: D: * Mount Points [8 bytes]: D:\ * OS Object [98 bytes]: \\?\Volume{471ed9d0-c3d8-11de-967e-0004e2378b92} * R-Studio Driver [42 bytes]: WinNT\Handle\Logical * Size [8 bytes]: 53 Gb (111994155 sec) * Sector Size [4 bytes]: 512 b * Partition Offset [8 bytes]: 21634 Mb (44307333 sec) * Partition Size [8 bytes]: 53 Gb (111994155 sec) * Partition Number [4 bytes]: 2 * Partition Type [256 bytes]: NTFS/HPFS + NTFS Information [4 bytes]: * Cluster Size [4 bytes]: 4096 b (8 sec) * MFT Record Size [4 bytes]: 1024 b * MFT Position [8 bytes]: 3072 Mb (6291456 sec) * MFT Mirror Position [8 bytes]: 14100 Mb (28876800 sec) * Index Block Size [4 bytes]: 4096 b * Sector Size [4 bytes]: 512 b * Volume Size [8 bytes]: 53 Gb (111994152 sec) # I/O Tries [4 bytes]: Default + Drive Control [4 bytes]: # Maximum Transfer [4 bytes]: 131072 # I/O Unit [4 bytes]: 512 # Buffer Alignment [4 bytes]: 2 + Physical Drive Geometry [4 bytes]: * Cylinders [8 bytes]: 9729 * Tracks Per Cylinder [4 bytes]: 255 * Sectors Per Track [4 bytes]: 63 * Sector Size [4 bytes]: 512 b + SCSI Address [4 bytes]: * Port Number [1 bytes]: 0 * Path Id [1 bytes]: 0 * Target Id [1 bytes]: 0 * Lun [1 bytes]: 0 * Bus Type [4 bytes]: IDE/ATA
- Drive Number 14 -------------------------------- * Drive Type [256 bytes]: Volume,CDROM * Name [6 bytes]: E: * Mount Points [8 bytes]: E:\ * OS Object [98 bytes]: \\?\Volume{79911e7d-632b-11d9-a2b8-806d6172696f} * R-Studio Driver [42 bytes]: WinNT\Handle\Logical * Sector Size [4 bytes]: 2048 b # I/O Tries [4 bytes]: Default + Drive Control [4 bytes]: # Maximum Transfer [4 bytes]: 131072 # I/O Unit [4 bytes]: 2048 # Buffer Alignment [4 bytes]: 2 + SCSI Address [4 bytes]: * Port Number [1 bytes]: 1 * Path Id [1 bytes]: 0 * Target Id [1 bytes]: 0 * Lun [1 bytes]: 0 * Bus Type [4 bytes]: IDE/ATAPI
- Drive Number 15 -------------------------------- * Drive Type [256 bytes]: Volume,Floppy * Name [6 bytes]: A: * Mount Points [8 bytes]: A:\ * OS Object [98 bytes]: \\?\Volume{62ef9d58-f9fc-11d8-8e66-806d6172696f} * R-Studio Driver [42 bytes]: WinNT\Handle\Logical * Sector Size [4 bytes]: 512 b # I/O Tries [4 bytes]: Default + Drive Control [4 bytes]: # Maximum Transfer [4 bytes]: 32768 # I/O Unit [4 bytes]: 512 # Buffer Alignment [4 bytes]: 4096
- Drive Number 16 -------------------------------- * Drive Type [256 bytes]: Volume,Floppy * Name [6 bytes]: I: * Mount Points [8 bytes]: I:\ * OS Object [98 bytes]: \\?\Volume{bd7eac6a-003b-11d9-8214-0004e2378b92} * R-Studio Driver [42 bytes]: WinNT\Handle\Logical * Size [8 bytes]: 238 Mb (489440 sec) * Sector Size [4 bytes]: 512 b * Partition Offset [8 bytes]: 16384 b (32 sec) * Partition Size [8 bytes]: 238 Mb (489440 sec) * Partition Number [4 bytes]: 1 + FAT Information [4 bytes]: * FAT Bits (12,16,32) [4 bytes]: 16 * Cluster Size [4 bytes]: 4096 b (8 sec) * First Cluster Offset [8 bytes]: 247 Kb (495 sec) * Root Directory Offset [8 bytes]: 245248 * Root Directory Length [4 bytes]: 16384 b * First FAT Offset [8 bytes]: 512 b (1 sec) * Size of One FAT Table [8 bytes]: 119 Kb (239 sec) * Number of FAT Copies [4 bytes]: 2 # Active FAT copy [4 bytes]: Auto * Sector Size [4 bytes]: 512 b * Major Version [1 bytes]: 0 * Minor Version [1 bytes]: 0 * Volume Size [8 bytes]: 238 Mb (489440 sec) # I/O Tries [4 bytes]: Default + Drive Control [4 bytes]: # Maximum Transfer [4 bytes]: 32768 # I/O Unit [4 bytes]: 512 # Buffer Alignment [4 bytes]: 4096 + Physical Drive Geometry [4 bytes]: * Cylinders [8 bytes]: 30 * Tracks Per Cylinder [4 bytes]: 255 * Sectors Per Track [4 bytes]: 63 * Sector Size [4 bytes]: 512 b * Bus Type [4 bytes]: USB
- Drive Number 17 -------------------------------- * Drive Type [256 bytes]: Volume,Disk * Name [6 bytes]: J: * Mount Points [8 bytes]: J:\ * OS Object [98 bytes]: \\?\Volume{567e88ce-e0f4-11de-9c8f-806d6172696f} * R-Studio Driver [42 bytes]: WinNT\Handle\Logical * Size [8 bytes]: 37 Gb (78220422 sec) * Sector Size [4 bytes]: 512 b * Partition Offset [8 bytes]: 8064 Kb (16128 sec) * Partition Size [8 bytes]: 37 Gb (78220422 sec) * Partition Number [4 bytes]: 1 * Partition Type [256 bytes]: NTFS/HPFS + NTFS Information [4 bytes]: * Cluster Size [4 bytes]: 4096 b (8 sec) * MFT Record Size [4 bytes]: 1024 b * MFT Position [8 bytes]: 3072 Mb (6291456 sec) * MFT Mirror Position [8 bytes]: 19096 Mb (39110208 sec) * Index Block Size [4 bytes]: 4096 b * Sector Size [4 bytes]: 512 b * Volume Size [8 bytes]: 37 Gb (78220421 sec) # I/O Tries [4 bytes]: Default + Drive Control [4 bytes]: # Maximum Transfer [4 bytes]: 32768 # I/O Unit [4 bytes]: 512 # Buffer Alignment [4 bytes]: 4096 + Physical Drive Geometry [4 bytes]: * Cylinders [8 bytes]: 4870 * Tracks Per Cylinder [4 bytes]: 255 * Sectors Per Track [4 bytes]: 63 * Sector Size [4 bytes]: 512 b * Bus Type [4 bytes]: USB
- Drive Number 18 -------------------------------- * Drive Type [256 bytes]: Partition,Active * Name [22 bytes]: Partition1 * Mount Points [8 bytes]: C:\ * Size [8 bytes]: 21634 Mb (44307206 sec) * Partition Offset [8 bytes]: 32256 b (63 sec) * Partition Size [8 bytes]: 21634 Mb (44307206 sec) * Partition Number [4 bytes]: 1 * Partition Type [256 bytes]: NTFS/HPFS + NTFS Information [4 bytes]: * Cluster Size [4 bytes]: 4096 b (8 sec) * MFT Record Size [4 bytes]: 1024 b * MFT Position [8 bytes]: 624 Mb (1279424 sec) * MFT Mirror Position [8 bytes]: 1161 Mb (2378048 sec) * Index Block Size [4 bytes]: 4096 b * Sector Size [4 bytes]: 512 b * Volume Size [8 bytes]: 21634 Mb (44307200 sec)
- Drive Number 19 -------------------------------- * Drive Type [256 bytes]: Partition,Logical * Name [22 bytes]: Partition2 * Mount Points [8 bytes]: D:\ * Size [8 bytes]: 53 Gb (111994155 sec) * Partition Offset [8 bytes]: 21634 Mb (44307333 sec) * Partition Size [8 bytes]: 53 Gb (111994155 sec) * Partition Number [4 bytes]: 2 * Partition Type [256 bytes]: NTFS/HPFS + NTFS Information [4 bytes]: * Cluster Size [4 bytes]: 4096 b (8 sec) * MFT Record Size [4 bytes]: 1024 b * MFT Position [8 bytes]: 3072 Mb (6291456 sec) * MFT Mirror Position [8 bytes]: 14100 Mb (28876800 sec) * Index Block Size [4 bytes]: 4096 b * Sector Size [4 bytes]: 512 b * Volume Size [8 bytes]: 53 Gb (111994152 sec)
- Drive Number 20 -------------------------------- * Drive Type [256 bytes]: Partition,Logical * Name [22 bytes]: Partition1 * Mount Points [8 bytes]: F:\ * Size [8 bytes]: 1780 Mb (3646628 sec) * Partition Offset [8 bytes]: 63 Kb (126 sec) * Partition Size [8 bytes]: 1780 Mb (3646628 sec) * Partition Number [4 bytes]: 1 * Partition Type [256 bytes]: NTFS/HPFS + NTFS Information [4 bytes]: * Cluster Size [4 bytes]: 2048 b (4 sec) * MFT Record Size [4 bytes]: 1024 b * MFT Position [8 bytes]: 12288 b (24 sec) * MFT Mirror Position [8 bytes]: 302 Kb (604 sec) * Index Block Size [4 bytes]: 4096 b * Sector Size [4 bytes]: 512 b * Volume Size [8 bytes]: 1780 Mb (3646624 sec)
- Drive Number 21 -------------------------------- * Drive Type [256 bytes]: Partition,Logical * Name [22 bytes]: Partition2 * Mount Points [8 bytes]: G:\ * Size [8 bytes]: 1270 Mb (2602466 sec) * Partition Offset [8 bytes]: 1780 Mb (3646818 sec) * Partition Size [8 bytes]: 1270 Mb (2602466 sec) * Partition Number [4 bytes]: 2 * Partition Type [256 bytes]: FAT32 + FAT Information [4 bytes]: * FAT Bits (12,16,32) [4 bytes]: 32 * Cluster Size [4 bytes]: 4096 b (8 sec) * First Cluster Offset [8 bytes]: 2548 Kb (5096 sec) * Root Directory Cluster [4 bytes]: 2 * First FAT Offset [8 bytes]: 19456 b (38 sec) * Size of One FAT Table [8 bytes]: 1268 Kb (2537 sec) * Number of FAT Copies [4 bytes]: 2 # Active FAT copy [4 bytes]: Auto * Sector Size [4 bytes]: 512 b * Major Version [1 bytes]: 0 * Minor Version [1 bytes]: 0 * Volume Size [8 bytes]: 1270 Mb (2602466 sec)
- Drive Number 22 -------------------------------- * Drive Type [256 bytes]: Partition,Logical * Name [22 bytes]: Partition3 * Mount Points [8 bytes]: H:\ * Size [8 bytes]: 1796 Mb (3678821 sec) * Partition Offset [8 bytes]: 3051 Mb (6249348 sec) * Partition Size [8 bytes]: 1796 Mb (3678821 sec) * Partition Number [4 bytes]: 3 * Partition Type [256 bytes]: FAT16 (big) + FAT Information [4 bytes]: * FAT Bits (12,16,32) [4 bytes]: 16 * Cluster Size [4 bytes]: 32 Kb (64 sec) * First Cluster Offset [8 bytes]: 178 Kb (356 sec) * Root Directory Offset [8 bytes]: 231424 * Root Directory Length [4 bytes]: 16384 b * First FAT Offset [8 bytes]: 1024 b (2 sec) * Size of One FAT Table [8 bytes]: 112 Kb (225 sec) * Number of FAT Copies [4 bytes]: 2 # Active FAT copy [4 bytes]: Auto * Sector Size [4 bytes]: 512 b * Major Version [1 bytes]: 0 * Minor Version [1 bytes]: 0 * Volume Size [8 bytes]: 1796 Mb (3678821 sec)
- Drive Number 23 -------------------------------- * Drive Type [256 bytes]: Empty Space * Name [28 bytes]: Empty Space23 * Size [8 bytes]: 44 Mb (90721 sec) * Partition Offset [8 bytes]: 4847 Mb (9928169 sec) * Partition Size [8 bytes]: 44 Mb (90721 sec)
- Drive Number 24 -------------------------------- * Drive Type [256 bytes]: Partition,Active * Name [22 bytes]: Partition1 * Mount Points [8 bytes]: I:\ * Size [8 bytes]: 238 Mb (489440 sec) * Partition Offset [8 bytes]: 16384 b (32 sec) * Partition Size [8 bytes]: 238 Mb (489440 sec) * Partition Number [4 bytes]: 1 * Partition Type [256 bytes]: FAT16 (big) + FAT Information [4 bytes]: * FAT Bits (12,16,32) [4 bytes]: 16 * Cluster Size [4 bytes]: 4096 b (8 sec) * First Cluster Offset [8 bytes]: 247 Kb (495 sec) * Root Directory Offset [8 bytes]: 245248 * Root Directory Length [4 bytes]: 16384 b * First FAT Offset [8 bytes]: 512 b (1 sec) * Size of One FAT Table [8 bytes]: 119 Kb (239 sec) * Number of FAT Copies [4 bytes]: 2 # Active FAT copy [4 bytes]: Auto * Sector Size [4 bytes]: 512 b * Major Version [1 bytes]: 0 * Minor Version [1 bytes]: 0 * Volume Size [8 bytes]: 238 Mb (489440 sec)
- Drive Number 25 -------------------------------- * Drive Type [256 bytes]: Partition,Logical * Name [22 bytes]: Partition1 * Mount Points [8 bytes]: J:\ * Size [8 bytes]: 37 Gb (78220422 sec) * Partition Offset [8 bytes]: 8064 Kb (16128 sec) * Partition Size [8 bytes]: 37 Gb (78220422 sec) * Partition Number [4 bytes]: 1 * Partition Type [256 bytes]: NTFS/HPFS + NTFS Information [4 bytes]: * Cluster Size [4 bytes]: 4096 b (8 sec) * MFT Record Size [4 bytes]: 1024 b * MFT Position [8 bytes]: 3072 Mb (6291456 sec) * MFT Mirror Position [8 bytes]: 19096 Mb (39110208 sec) * Index Block Size [4 bytes]: 4096 b * Sector Size [4 bytes]: 512 b * Volume Size [8 bytes]: 37 Gb (78220421 sec)
- Drive Number 26 -------------------------------- * Drive Type [256 bytes]: Empty Space * Name [28 bytes]: Empty Space26 * Size [8 bytes]: 8032 Kb (16064 sec) * Partition Offset [8 bytes]: 512 b (1 sec) * Partition Size [8 bytes]: 8032 Kb (16064 sec)
****************************************************************************************************
-------------------------------------------- Session 1 --------------------------------------------- START Date / Time of Collection: 2010-01-09 16:50:24
Source drive:Sector Modification Date MD5 File Name 10: 5112 Root 10: 5184 2007-04-27 09:56:56 Temp 10: 1068664 2009-11-01 19:24:10 Temp\TEMP 10: 287296 2007-04-27 09:56:42 d89b3a219c2b4c6c36ca60dd851b63e4 Temp\1.arc 10: 323576 2007-04-27 10:00:34 f201ccdd36bcb1a87c465fd92a61369e Temp\1.dsk 10: 5208 2005-06-30 23:50:06 TMP 10: 1068704 2009-11-01 19:13:02 TMP\TEMP 10: 5224 2005-06-30 23:50:28 Files to Recover 10: 5232 2005-03-21 21:22:26 bbf288488aa09a013919e7cd4428a828 Files to Recover\test1.arc 10: 406640 2005-03-21 21:23:42 2eceaa06087680171c189f2d60bf32fa Files to Recover\test3.arc 10: 283760 2005-03-21 21:24:58 d65b91fe8e5f3641d2d80d9da1ca00fe Files to Recover\?est5.arc 10: 216176 2003-11-16 23:13:14 3743dc1fef09606b97f2f8af77f0c2fa Files to Recover\Wipe Test 1.doc 10: 1264800 2003-11-16 23:13:20 addc1f7580d14d65e2b65b0fca0dea04 Files to Recover\Wipe Test 2.doc 10: 1264848 2003-11-16 23:13:26 596070fb58cfde5a502a0b44f919ab57 Files to Recover\Wipe Test 3.doc 10: 216320 2003-11-16 23:13:34 70d5bf4c1630cc2d65ffa7f171842c2b Files to Recover\Wipe Test 4.doc 10: 216368 2003-11-16 23:14:04 929fcf3b344b8fd1fee4af24388b622e Files to Recover\Wipe Test 5.doc 10: 1264992 2003-11-16 23:14:08 82bca2611ac7e31ee50da2aea997a41d Files to Recover\Wipe Test 6.doc 10: 83080 2005-07-06 21:24:18 e9f5ca4cad1cea3d5202a74fc69224c0 Files to Recover\~$pe Test 2.doc 10: 83168 2006-05-13 19:39:16 9c6338caa791315f2aadf9a55aab07bb Files to Recover\Outlook_recovered_by_R_Mail.pst 10: 83608 2006-05-14 17:15:32 85af76d9f2e3d5ca4028a8872a0ff12a Files to Recover\Outlook.pst 10: 1053688 2007-04-23 13:13:32 900822f2b78289cea2f62c8cfc3215d8 Files to Recover\Picture 113.jpg 10: 1059648 2007-04-23 13:15:22 4ef0427f18de06755aeb1cc0a9c65e84 Files to Recover\Picture 149.jpg 10: 1062928 2007-04-23 13:20:16 ffd0944df55bc375bda69def5f1d1f5e Files to Recover\Picture 237.jpg
END Date / Time of Collection: 2010-01-09 16:51:48 ---------------------------------------------------------------------------------------------------- |