In the news; AZ audit; where did the red x come from?

A forum on data recovery using the professional data recovery software R-STUDIO.
whkle23
Posts: 3
Joined: Wed May 19, 2021 3:50 pm

In the news; AZ audit; where did the red x come from?

Post by whkle23 » Wed May 19, 2021 3:59 pm

If you haven't seen r-studio is in the news. Feel free to ignore this post if you don't think it's worth your time. But I am curious from the technical people's take on this:
https://www.cnn.com/2021/05/18/politics ... index.html
https://www.thegatewaypundit.com/2021/0 ... les-video/

Basically the tl;dr is:
Auditors: "You deleted files!". Proof? R-studio showing red "x" on files. See complaint PDF here:
https://cdn.donaldjtrump.com/djtweb/gen ... _Board.pdf

Maricopa County: "No you just didn't configure R-studio correctly, the data is there"
Response PDF here:
https://www.maricopa.gov/DocumentCenter ... ts-5172021
https://www.maricopa.gov/DocumentCenter ... nn---FINAL

So as those in the know, can you satisfy my curiosity? Do the red 'x's mean that those files were actually intentionally deleted, or does the explaination that misconfigured RAID parameters could falsely show 'deleted'/'corrupt'/'inaccessible' files hold water?

Thanks for your time.

Alt
Site Moderator
Posts: 3471
Joined: Tue Nov 11, 2008 2:13 pm
Contact:

Re: In the news; AZ audit; where did the red x come from?

Post by Alt » Fri May 21, 2021 10:46 am

Based on the R-Studio screenshot provided in the referenced document, we assume that:

1. R-Studio scanned and analyzed an image of a certain storage device (object), but we cannot assert with any certainty that the image corresponds to the original state of that storage device since it wasn't done in our lab.

2. We also cannot determine a type of the original object, as it could be a RAID, a single physical disk, or a virtual device.

3. R-Studio marks files as "deleted" on a volume if the operating system doesn't show these files when it opens the volume through the standard file enumeration procedures. The reason for this could be one of the following:

* The files are marked as "deleted" by the operating system.

* The files are not marked as "deleted" by the operating system but their parent folders were marked as "deleted".

* The files have been found by using R-Studio's additional methods of object data analysis such as, for example, analysis of the $LogFile file or analysis of extra found MFT extents.

4. As explained above, we cannot determine whether the original object was a RAID or not, but usually files from an incorrectly assembled RAID cannot be recovered with correct content, especially when the files are large.

whkle23
Posts: 3
Joined: Wed May 19, 2021 3:50 pm

Re: In the news; AZ audit; where did the red x come from?

Post by whkle23 » Fri May 21, 2021 11:20 am

Thank you for your reply and time.

So to be totally clear here:
1) The red 'x's don't always reflect intentional deletion (your third bullet, I believe)?
2) Could a misconfigured RAID produce the red xs and therefore NOT reflect an intentional deletion?

Alt
Site Moderator
Posts: 3471
Joined: Tue Nov 11, 2008 2:13 pm
Contact:

Re: In the news; AZ audit; where did the red x come from?

Post by Alt » Fri May 21, 2021 11:41 am

whkle23 wrote:
Fri May 21, 2021 11:20 am
1) The red 'x's don't always reflect intentional deletion (your third bullet, I believe)?
In the text above, "deletion" doesn't equal to "intentional deletion". Files may be deleted intentionally, unintentionally (by mistake, for example), or due to some system glitch, without any human participation. The latter isn't a rare case.
Moreover, quite often such system glitch may affect the file records in a way that the file may be marked as deleted even it's not.
whkle23 wrote:
Fri May 21, 2021 11:20 am
2) Could a misconfigured RAID produce the red xs and therefore NOT reflect an intentional deletion?
Yes it can, and often does. But "deletion", not "intentional" or "unintentional" deletion.

Please note that the text above is general speculations, and nothing can be certain until the actual hardware and software are inspected by professional computer forensic experts with enough qualification and experience. Even professional data recovery specialists may not be qualified for such job.

whkle23
Posts: 3
Joined: Wed May 19, 2021 3:50 pm

Re: In the news; AZ audit; where did the red x come from?

Post by whkle23 » Fri May 21, 2021 12:12 pm

Thanks so much for your time.

Post Reply