I'm not going to jump on the bandwagon with answers to all of these questions, as I think that they've been addressed very well so far.
TheOJM wrote:
Is it possible for that file not to be corrupted and is still accsessible over months the time it was created?
One of the things I discuss in my courses and presentations is how active Windows systems are, even when the user doesn't do anything - there is a great deal that goes even when no user is interacting with the system at the keyboard. Software updates, defrags, etc. As such, it's not likely that you'd be able to retrieve/carve deleted files, even a week or so after the date/time that the file was deleted.
I have seen instances where a file was deleted, and the system was shut down, and then not touched for several months. I've also seen cases where the system was in heavy use by the user after a specific date, and the system wasn't acquired for more than a year - in those cases, most of the information we were able to 'carve' was stuff that remained resident in logical files on the system, so it hadn't actually been deleted.
↧