Page 1 of 1
In the news; AZ audit; where did the red x come from?
Posted: Wed May 19, 2021 3:59 pm
by whkle23
If you haven't seen r-studio is in the news. Feel free to ignore this post if you don't think it's worth your time. But I am curious from the technical people's take on this:
https://www.cnn.com/2021/05/18/politics ... index.html
https://www.thegatewaypundit.com/2021/0 ... les-video/
Basically the tl;dr is:
Auditors: "You deleted files!". Proof? R-studio showing red "x" on files. See complaint PDF here:
https://cdn.donaldjtrump.com/djtweb/gen ... _Board.pdf
Maricopa County: "No you just didn't configure R-studio correctly, the data is there"
Response PDF here:
https://www.maricopa.gov/DocumentCenter ... ts-5172021
https://www.maricopa.gov/DocumentCenter ... nn---FINAL
So as those in the know, can you satisfy my curiosity? Do the red 'x's mean that those files were actually intentionally deleted, or does the explaination that misconfigured RAID parameters could falsely show 'deleted'/'corrupt'/'inaccessible' files hold water?
Thanks for your time.
Re: In the news; AZ audit; where did the red x come from?
Posted: Fri May 21, 2021 10:46 am
by Alt
Based on the R-Studio screenshot provided in the referenced document, we assume that:
1. R-Studio scanned and analyzed an image of a certain storage device (object), but we cannot assert with any certainty that the image corresponds to the original state of that storage device since it wasn't done in our lab.
2. We also cannot determine a type of the original object, as it could be a RAID, a single physical disk, or a virtual device.
3. R-Studio marks files as "deleted" on a volume if the operating system doesn't show these files when it opens the volume through the standard file enumeration procedures. The reason for this could be one of the following:
* The files are marked as "deleted" by the operating system.
* The files are not marked as "deleted" by the operating system but their parent folders were marked as "deleted".
* The files have been found by using R-Studio's additional methods of object data analysis such as, for example, analysis of the $LogFile file or analysis of extra found MFT extents.
4. As explained above, we cannot determine whether the original object was a RAID or not, but usually files from an incorrectly assembled RAID cannot be recovered with correct content, especially when the files are large.
Re: In the news; AZ audit; where did the red x come from?
Posted: Fri May 21, 2021 11:20 am
by whkle23
Thank you for your reply and time.
So to be totally clear here:
1) The red 'x's don't always reflect intentional deletion (your third bullet, I believe)?
2) Could a misconfigured RAID produce the red xs and therefore NOT reflect an intentional deletion?
Re: In the news; AZ audit; where did the red x come from?
Posted: Fri May 21, 2021 11:41 am
by Alt
whkle23 wrote: ↑Fri May 21, 2021 11:20 am
1) The red 'x's don't always reflect intentional deletion (your third bullet, I believe)?
In the text above, "deletion" doesn't equal to "intentional deletion". Files may be deleted intentionally, unintentionally (by mistake, for example), or due to some system glitch, without any human participation. The latter isn't a rare case.
Moreover, quite often such system glitch may affect the file records in a way that the file may be marked as deleted even it's not.
whkle23 wrote: ↑Fri May 21, 2021 11:20 am
2) Could a misconfigured RAID produce the red xs and therefore NOT reflect an intentional deletion?
Yes it can, and often does. But "deletion", not "intentional" or "unintentional" deletion.
Please note that the text above is general speculations, and nothing can be certain until the actual hardware and software are inspected by professional computer forensic experts with enough qualification and experience. Even professional data recovery specialists may not be qualified for such job.
Re: In the news; AZ audit; where did the red x come from?
Posted: Fri May 21, 2021 12:12 pm
by whkle23
Thanks so much for your time.