How to show list of deleted files in windows file system

Question

Hello, I am wondering if it is possible to compile a list of deleted files on a windows file system, FAT or NTFS. I do not need to actually recover the files, only have access to their name and any other accessible time (time deleted, created etc).

Even if I can run a cmd line tool to achieve this it would be acceptable.

The application is being developed in Python, however if another language has the capability I could always create a small component implemented in that language.

Thanks.

Answer 1

This is a very complex task. I woudl look at open-source forensic tools. You also should analyze the recylcing bin ( not completly deleted file )

For FAT you will not be able to get the first character of a deleted file. For some deleted files the metadata will be gone.

NTFS is much more complex and time consuming due to the more complex nature of this file system.