Forensic Report

Windows7 logo   Intel logo

Forensic Report

Active@ UNDELETE is an advanced data recovery tool designed to recover data lost or deleted data, or even information from formatted hard disks.

Forensic Report is an advanced tool designed to collect files based on local user activity time frames. Files can be collected by the following date types:

  • By created date
  • By modified date
  • By accessed date

When Forensic Report view opens, it will automatically parse local Windows Log records to collect information about user sessions. Each following Forensic Scan will group files under corresponding user session time frame.

Forensic investigation results. Active@ UNDELETE

Figure 70: Forensic investigation results

Scan logical drives (volumes) to complete Forensic Report.

Forensic Scan

Use this command to investigate local volumes. See Investigate volumes for details.

Forensic Lookup

Use this command to re-populate local Windows Event Log. After log parsing completes, all previous volume scans will be analyzed again and the results will be shown in Forensic Report view.

Save Report

Use Save Report command to save your findings to a text file. From the context menu, detected files can be inspected, opened in Disk Editor, previewed, and more.


Investigate volumes

During the scan all deleted and existing files will that match defined criteria will be collected and grouped by User Sessions. The results (report) of a logical drive scan are displayed in a separate tabbed view. To create forensic reportof a logical drive(s):

1. Open Forensic Report tool

  • From the Command bar click Tools tab and then Forensic Report button
  • From main menu click Tools > Forensic Report command

2. Open the Investigate volumes dialog box

  • Click the Forensic Scan button from the view's toolbar.
Scan volumes dialog. Active@ UNDELETE

Figure 71: Scan volumes dialog

Date type

Additional drives can be selected to be scanned on the Logical Drives list. These will be scanned simultaneously.

Date range

Files can be collected by the following date types:

  • By Created Date
  • By Modified Date
  • By Accessed Date

Skip scanned volumes

Use this option to ignore already scanned volumes.

Collect deleted files only

Use this option to collect only deleted files in final report.

Click Investigate to initiate scans of selected logical drives (volumes) and analyze scan result based on users’ activity.

3. Scan selected volumes

File Filter toolbar. Active@ UNDELETE

Figure 72: Scan in progress

During the scan:

  • To display or hide scanning events and progress details toggle More\Less Info button at any time
  • To terminate the scan process, click Stop at any time. Results may be not accurate or complete

4. Review scan results

 Volume scan result view. Active@ UNDELETE

Figure 73: Volume scan result view

5. Save Forensic report (optional)

Final reports can be stored in a plain text file that contains lists of detected files grouped by user sessions, detailed information about scanned drives, and other user activities from Windows Event Log.

Data Recovery

Data Utility

Data Security

Data Backup

CD/DVD Tools