Delete and Archive Cleanup Files
After deleting files
within IDrive there is one additional file created in the IDTEMP folder. This files is called “Delete.txt”. This file contains the filename and file path
of the file(s)/folder(s) deleted from the IDrive backup set. Moreover, after a user performs an archive
cleanup, the files; “Delete.txt”, “Delete_Args.txt”, and
“OutputFile_Delete.txt” all change to reflect the files that were cleaned
up. These files will contain details
about the files that were deleted during an archive cleanup. Since these files contain the same data as
the data added after deleting a file from the IDrive backup set, an
investigator will not be able to tell if a file was deleted during an archive
cleanup or a deletion within the IDrive backup set.
There is also an
additional file added to the IDTEMP folder, called “DFTDelete.txt”, which is
added after a user deletes a file from the IDrive trash. This file is similar to the “Delete.txt”, as
it contains the filename and file path of the file that was deleted from the
trash.
 |
| Delete.txt |
After file(s)/folder(s)
have been deleted and sent to the IDrive trash, a user has the ability to
restore these files to their original location within the IDrive backup
set. After a user moves the files, there
is an additional file added to the IDTEMP folder called “MTOFile.txt”. Within this file an investigator will contain
a list of the file(s)/folder(s) found moved from the IDrive trash, which
includes the filename and path of the file(s)/folder(s).
 |
| MTOFile.txt |
No comments:
Post a Comment