Doing forensics to Microsoft Windows FAT/NTFS recycle bin file from Linux system
When I’m trying to build Stagos FSE, I found an interesting tools called rifiuti (it’s italian word for trash). On forensics world, it used to look for some important file (ofcourse, the one which has a relation with the case) that still hidden on Windows recycle file. My curiosity (again) come to me, I wonder how the progs work. So I’m starting to searching about this on the internet, and found a nice article wrote by Keith J. Jones from Foundstone. Now I will try to explain, what’s happend when someone delete their file on Windows system. The aim of this article, is the help some people who had a problem when they should check / examine Windows partition from Linux system.
When you’re trying to delete a file from the system (Windows operating systems), it is not really deleted. The file will be stored on a repository called recycle bin. Well,actually the reason from the existence of the recycle bin is to allow a user to retrieve a document when he accidentally delete the file. And in order for Windows to undelete the file, a certain information will be stored in a records, so the original information about the file still can be accessed and restored, for example the file name, the file type etc. the file which containing about this information named INFO2 file, and store inside the recycle bin directory. You may found it on folder /Recycled for FAT filesystem and /Recycler/<user sid>. (btw, like I said before, the aim of this article is to help Linux user to access Windows rcycle bin,so I will use / for directory path).
Now, what will happend to your file when you delete it? The file will moved into recycle bin directory, like I said before, the directory depends on what file system you’re using on, in my example, I’m using FAT file system, so it should be stored in /Recycler directory. After moving the file into the folder, Windows will rename te file into this format
Dc(Number).Extension
for example, someone delete a zip file on his system, so Windows will rename it into Dc1.zip. take a look to below example, when I’m trying to access Windows recycle bin directory from my Linux live cd.
stagos@StagosFSE:/media/hdb1/Recycled$ ls -al
total 40
drwxrwx— 2 root plugdev 8192 2007-08-02 22:21 .
drwxrwx— 12 root plugdev 8192 1970-01-01 07:00 ..
-rwxrwx— 1 root plugdev 3823 2008-01-26 22:11 Dc1.zip
-rwxrwx— 1 root plugdev 65 2008-01-20 13:00 desktop.ini
-rwxrwx— 1 root plugdev 820 2008-01-27 09:05 info2
stagos@StagosFSE:/media/hdb1/Recycled$
as more file deleted on the system, the number of the file will be increases by one. The number is an indexing number for the file which will readed by INFO2 file. When the recycle bin empty, the INFO2 file will also deleted and then Windows will create a nwe INFO2 file which will reset the number counter into 0.
Next, INFO2 file store some information related with the deleted file like;
-The file’s original full path name
-The file’s size
-The date and time when the file was moved into the recycle bin
-The file’s unique ID number within the Recycle Bin
this information will be used when Windows try to undelete the file.Upon opening the INFO2 file in a hex editor, we will locate these structures. When viewing the INFO2 file in a hex editor, it is easy to see that each recycle record is 0×320 bytes long (see Figure 2). If we examine the INFO2 file header, we see that “20 03 00 00â€, which translates to 0×320, is found at byte offset 0xC. The first valid recycle record is located immediately after the recycle record size information.I’m using hte hexeditor to see the INFO2 file.
So, why we doinf this? in forensics world, to know what file has been deleted on evidence disk is a verry important information. From Linux shell we already know some important information without looking at INFO2 file (insyaALLAH in next post I will try to explain how we can read the information related with the deleted file on INFO2 file), like when the file was deleted and also the size of the file, but we still couldn’t know where is the original file placed before it was deleted. And, this is where a hexeditor needed to read INFO2 file. With hexeditor you can easily found the string on the ASCII mode view. It show the original path from the file before it was deleted. see image above.
Now, what should we do after we found out the file on the evidence recycle bin directory? firts of all, write a report or a log, which contain all information relate with the process. Here are the example;
————————————————–Report———————————————————————————–
Sun, Nov 22 2007, 12:22:13
Examine the evidence harddisk, looking for deleted file on recycle bin.
#mount /dev/hda1 /mnt/eviddrive_C
#cd /mnt/eviddrive_C/Recycler/
#ls -al
total 40
drwxrwx— 2 root plugdev 8192 2007-08-02 22:21 .
drwxrwx— 12 root plugdev 8192 1970-01-01 07:00 ..
-rwxrwx— 1 root plugdev 3823 2008-01-26 22:11 Dc1.zip
-rwxrwx— 1 root plugdev 65 2008-01-20 13:00 desktop.ini
-rwxrwx— 1 root plugdev 820 2008-01-27 09:05 info2
#
has found out 1 deleted file
Windows deleted filename : Dc1.zip
Deleted time : 01/26/2008
File size : 3823 byte
File type : .zip
analyzing INFO2 file to find out the original name of the file and the original path from the file. Using hexeditor application (you can use GHex2, it can generate the output into html)
Hex editor application : GHex2
data
Original file name : 9124799516.zip
Original file path : C:\Program Files\Ontrack\EasyRecovery Professional\Repaired\
Forensic examiner : Mada R Perdhana
——————————————————————————————————————————————-
After write the log, we should copy the file. The purposes from copying the file;
1. try to find out as much possible information that included on the file
2. backup the evidence
to do that, just open default Linux file manager, and point out the path to /mnt/eviddrive_C/Recycler/, the copy all the file on it.
All the process above can be easily done by using rifiuti. Just run rifiuti, an it will show you all the information on an INFO2 file on Windows recycle bin directory.
June 10th, 2009 at 10:04 pm
wow!!
Simple but usefull..
Thanks a lot.