1. 91.580.203 Computer & Network Forensics
Xinwen Fu
Chapter 7/8
File Systems - Supplementary Materials

2. Outline More on recovering secret data FAT file system
Rename files/directories
Delete files/directories
Copy files/directories
Print files
Format a disk
FAT file system
Windows registry
NTFS file system

3. Renaming Files Rename files and/or file extensions Example:
Rename extortion_letter.doc to fuzzy_bunny.jpg
People looking for incriminating evidence probably won’t check a picture file called fuzzy_bunny.jpg

4. Rename Files (Cont.) File header implies the file type
Check the real file type by hex editor WinHex or XVI32
File type
424D - .bmp
D0CF - .doc

5. Copying Files
Scenario #1: Copying a file to a floppy disk or hard disk
If you run out of space, the pointer to the file is removed, but the data that was copied to the sectors is left in place
Scenario #2: Computer crashes while copying a file
Again, the file contents copied to the unallocated sectors will exist, but the pointer to the data will not have been created

6. Printing a File
When printing a file, it is spooled to the hard disk before it is printed
Spooling involves copying the file to a temporary location, printing it, then deleting it
After the temporary file is deleted, the data still exists on disk
Windows XP spool folder: C:\WINNT\System32\spool\PRINTERS
Click Start, and then click Printers and Faxes
On the File menu, click Server Properties
Click the Advanced tab

7. Temporary Internet Files
Internet explorer stores copies of webpages, images, and media for faster view later
Default Windows XP Temporary Internet Files folder C:\Documents and Settings\fu\Local Settings\Temporary Internet Files
Tools -> General -> Browsing history -> Settings -> View files

8. Formatting a Disk
When a disk is quick formatted, the file table on the disk is cleared, but the data on the disk is left in place
Again, similar to deleting all the files on a disk

9. Hiding Folders (DoS/Windows 95)
Create files or directories with non-printable characters [1][2]
Example: At a DOS prompt, type the character Alt-255 using the numeric keypad. This will insert a “blank space” character, but it is not an actual space
If you show a directory listing, you can see the file/directory exists, but you might not know exactly how many “non-printing” characters exist, or their location within the file name
You can still access the directory via the Windows Explorer and similar graphical tools

10. Attributes
In Windows, set the “hidden” attribute on a file or directory
Can still view files if the “Show hidden files and folders” option is checked in Windows Explorer
Other tools may or may not display hidden files

11. Hiding Folders (Unix)
In Unix, rename a file or directory starting with a “.”
Example: mv important.doc .important.doc
Can still be viewed by listing all files “ls –a”
A Linux system for you to play with
putty – mercury.cs.uml.edu
user ???; passwd ???

12. Swap Space
Swap Space (also called a page file) is used to increase the amount of memory available to the system
The total memory available (real RAM and the swap space) is called virtual memory
Information is constantly being written to memory, and therefore to the hard disk
Information can then be extracted from this file

13. Core Dumps
Core dumps are created on Unix systems when a process or program generates a fault
The core dump will contain all the data from CPU registers and memory at the time of the fault
Information can then be extracted from core dump

14. RAM Slack Cluster Size = 8 sectors File Cluster 2
RAM Slack is the area from the end of the file to the end of that sector.
- Comes from RAM
RAM Slack
File slack potentially contains randomly selected bytes of data from computer memory. This happens because DOS/Windows normally writes in 512 byte blocks called sectors. Clusters are made up of blocks of sectors. If there is not enough data in the file to fill the last sector in a file, DOS/Windows makes up the difference by padding the remaining space with data from the memory buffers of the operating system. This randomly selected data from memory is called RAM Slack because it comes from the memory of the computer. RAM Slack can contain any information that may have been created, viewed, modified, downloaded or copied during work sessions that have occurred since the computer was last booted. Thus, if the computer has not been shut down for several days, the data stored in file slack can come from work sessions that occurred in the past.

15. Residual Data Slack Cluster Size = 8 sectors File Cluster 2
RAM Slack
Residual data slack is the area from the end of RAM slack to the end of the cluster – whatever was on the media before
Residual Slack
RAM slack pertains only to the last sector of a file. If additional sectors are needed to round out the block size for the last cluster assigned to the file, then a different type of slack is created. It is called drive slack and it is stored in the remaining sectors which might be needed by the operating system to derive the size needed to create the last cluster assigned to the file. Unlike RAM slack, which comes from memory, drive slack is padded with what was stored on the storage device before. Such data could contain remnants of previously deleted files or data from the format pattern associated with disk storage space that has yet to be used by the computer. NTI devotes quite a bit of time to the topic of file slack in its popular 5-Day Computer Forensics Course.

16. Slack Space A cluster is the smallest logical allocation unit
A sector is the smallest physical allocation unit
When files are deleted, both the deleted data and the data in slack space still exists
When a file is wiped from the system (permanently removed), any data in the slack space still exists
Wipe tool: EZ Wipe
The data in the slack space will only be removed when it is overwritten, or it is explicitly removed
A list of tools: Eraser, etc.
It is important that you to understand the significance of file slack in computer-related investigations. Because file slack potentially contains data dumped randomly from the computer's memory, it is possible to identify network logon names, passwords and other sensitive information associated with computer usage. File slack can also be analyzed to identify prior uses of the subject computer and such legacy data can help the computer forensics investigator. File slack is not a trivial item. On large hard disk drives, file slack can involve several hundred megabytes of data. Fragments of prior messages and word processing documents can be found in file slack. From a computer forensic standpoint, file slack is very important as both a source of computer evidence and security risks

17. FTK Imager to Check Deleted Files
File -> Add Evidence Item -> Physical Drive
In class exercise
Create a file
Delete the file and empty recycler
Use FTK imager to load the drive and check the

18. Outline More on recovering secret data FAT file system
Write
Delete
Reformat
Windows registry
NTFS file system

19. What areas change when a FILE is written?
Writing a file
What areas change when a FILE is written?
MBR
VBR
FILE
FAT1
FILE
FAT1
FILE
FAT1
FILE
FAT2
FAT2
Reserved Area
FAT2
The File Allocation Table (FAT) is a list of entries that map to each cluster on the partition. Each entry records one of five things:
the address of the next cluster in a chain
a special end of file (EOF) character that indicates the end of a chain
a special character to mark a bad cluster
a special character to mark a reserved cluster
a zero to note that that cluster is unused
A directory table is a special type of file that represents a directory (nowadays commonly known as a folder). Each file or directory stored within it is represented by a 32 byte entry in the table. Each entry records the name, extension, attributes (archive, directory, hidden, read-only, system and volume), the date and time of creation, the address of the first cluster of the file/directory's data and finally the size of the file/directory.
Aside from the Root Directory Table in FAT12 and FAT16 file systems which occupies the special Root Directory Region location, all Directory Tables are stored in the Data Region.
Root C
Root C
Root C
Root C
VBR: Volume Boot Record

20. File Allocation Table (FAT)
A list of entries that map to each cluster on the partition. Each entry records one of five things:
the address of the next cluster in a chain
a special end of file (EOF) character that indicates the end of a chain
a special character to mark a bad cluster
a special character to mark a reserved cluster
a zero to note that that cluster is unused

21. Directory Table
A special type of file that represents a directory (nowadays commonly known as a folder)
Each file or directory stored within it is represented by a 32 byte entry in the table. Each entry records
name, extension, attributes (archive, directory, hidden, read-only, system and volume), the date and time of creation, the address of the first cluster of the file/directory's data and finally the size of the file/directory.
Aside from the Root Directory Table in FAT12 and FAT16 file systems which occupies the special Root Directory Region location, all Directory Tables are stored in the Data Region

22. What areas change when a FILE is written? Directory entry is created
Writing a file
What areas change when a FILE is written?
MBR
VBR
FILE
FAT1
FILE
FAT1
FILE
FAT1
FILE
FAT2
FAT2
Reserved Area
FAT2
Root C
Directory entry is created
Root C
Filename Start Cluster Size
FILE
Unused Directory Entry
Root C
Root C

23. What areas change when a FILE is written? Directory entry is created
Writing a file
What areas change when a FILE is written?
FATs are updated
MBR
VBR
FILE 2 E 6 10 3 7 11 4 8 12 5 9 13
FAT1
FILE
FAT1
FILE
FAT1
FILE
FAT2
FAT2
Reserved Area
FAT2
Root C
Directory entry is created
Root C
Filename Start Cluster Size
FILE
Unused Directory Entry
Root C
Root C

24. Writing a file What areas change when a FILE is written? Reserved Area
FILE contents written to data area
What areas change when a FILE is written?
FATs are updated
MBR
VBR
FILE 2 E 6 10 3 7 11 4 8 12 5 9 13
FAT1
FILE
FAT1
FILE
FAT1
FILE
FAT2
FAT2
Reserved Area
FAT2
Root C
Directory entry is created
Root C
Filename Start Cluster Size
FILE
Unused Directory Entry
Root C
Root C

25. What areas change when a FILE is deleted?
Deleting a file
What areas change when a FILE is deleted?
MBR
VBR
FILE
FAT1
FILE
FAT1
FILE
FAT1
FILE
FAT2
FAT2
Reserved Area
FAT2
Root C
Root C
Root C
Root C

26. First character of the Directory entry is changed to  (0xe5)
Deleting a file
MBR
VBR
FILE
FAT1
FILE
FAT1
FILE
FAT1
FILE
FAT2
FAT2
First character of the Directory entry is changed to  (0xe5)
Reserved Area
FAT2
Root C
Root C
Filename Start Cluster Size
 ILE
Unused Directory Entry
Root C
Root C

27. First character of the Directory entry is changed to 
Deleting a file
FAT entries are ed 6 10 3 7 11 4 8 12 5 9 13 2
MBR
VBR
FILE
FAT1
FILE
FAT1
FILE
FAT1
FILE
FAT2
FAT2
Reserved Area
FAT2
First character of the Directory entry is changed to 
Root C
Root C
Filename Start Cluster Size
 ILE
Unused Directory Entry
Root C
Root C

28. Deleting a file Reserved Area Data area is not changed !  ILE 2 1024
FAT entries are ed 6 10 3 7 11 4 8 12 5 9 13 2
MBR
VBR
FILE
FAT1
FILE
FAT1
FILE
FAT1
FILE
FAT2
FAT2
Reserved Area
FAT2
First character of the Directory entry is changed to 
Root D
Root D
Filename Start Cluster Size
 ILE
Unused Directory Entry
Root D
Root D

29. What areas change when a partition is reformatted?
Reformatting (DOS 6.22)
What areas change when a partition is reformatted?
MBR
VBR
FILE
FAT1
FILE
FAT1
FILE
FAT1
FILE
FAT2
FAT2
Reserved Area
FAT2
Root C
Root C
Root C
Root C

30. Three areas change when a partition is reformatted
Reformatting
Three areas change when a partition is reformatted
MBR
VBR
FILE
FAT1
FILE
FAT1
FILE
FAT1
FILE
FAT2
FAT2
Reserved Area
FAT2
Filename Start Cluster Size
Unused Directory Entry
Root Directory entries are ed
Root C
Root C
Root C
Root C

31. Three areas change when a partition is reformatted
Reformatting
Three areas change when a partition is reformatted
FAT entries are ed
MBR
VBR
FILE
FAT1
FILE 2 3 4 5
FAT1
FILE 6 7 8 9
FAT1
FILE
FAT2 10 11 12 13
FAT2
Reserved Area
FAT2
Filename Start Cluster Size
Unused Directory Entry
Root Directory entries are ed
Root C
Root C
Root C
Root C

32. Three areas change when a partition is reformatted
Reformatting
Three areas change when a partition is reformatted
FAT entries are ed
Boot Record is written
MBR
VBR
FILE
FAT1
FILE 2 3 4 5
FAT1
FILE 6 7 8 9
FAT1
FILE
FAT2 10 11 12 13
FAT2
Reserved Area
FAT2
Filename Start Cluster Size
Unused Directory Entry
Root Directory entries are ed
Root C
Root C
Root C
Root C

33. Reformatting Data area is not changed
Three areas change when a partition is reformatted
FAT entries are ed
Boot Record is written
MBR
VBR
FILE
FAT1
FILE 2 3 4 5
FAT1
FILE 6 7 8 9
FAT1
FILE
Data area is not changed
FAT2 10 11 12 13
FAT2
Reserved Area
FAT2
Filename Start Cluster Size
Unused Directory Entry
Root Directory entries are ed
Root C
Root C
Root C
Root C

34. Outline More on recovering secret data FAT file system
Windows registry
NTFS file system

35. Windows Registry What is it:
A central hierarchical database to store information necessary to configure the system for one or more users, applications and hardware devices
Replaces AUTOEXEC.BAT, CONFIG.SYS and INI files
First introduced in Windows 3.1 for storing OLE Settings (pre 1995)
View Windows Registry: regedit or Ice Sword
OLE: Object Linking and Embedding

36. Windows Registry There are five root keys HKEY_CLASSES_ROOT (HKCR)
HKEY_CURRENT_USER (HKCU)
HKEY_LOCAL_MACHINE (HKLM)
HKEY_USERS (HKU)
HKEY_CURRENT_CONFIG (HKCC)

37. Two are “Master” keys HKEY_LOCAL_MACHINE (HKLM) HKEY_USERS (HKU)
Configuration data describing hardware and software installed on the computer
HKEY_USERS (HKU)
Configuration data for each user that logs into the computer

38. Three are derived from “Master” keys Architecture
HKEY_CLASSES_ROOT
File Associations and OLE
HKEY_CURRENT_USER
Currently logged on user
HKEY_CURRENT_CONFIG
Current hardware profile
OLE: Abbreviation of Object Linking and Embedding, pronounced as separate letters or as oh-leh. OLE is a compound document standard developed by Microsoft Corporation. It enables you to create objects with one application and then link or embed them in a second application. Embedded objects retain their original format and links to the application that created them.

39. HKEY_CLASSES_ROOT
File Associations and OLE
From HKLM\Software\Classes

40. HKEY_CURRENT_USER Currently logged on user
HKEY_CURRENT_USER
Currently logged on user
From HKU\SID (security identifier) of current user
User vs SID: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
Because Windows NT/2000/XP networks use each computer's SID (Security Identifier) and computer name to uniquely identify the computer on the network, you must change the SID and computer name on each destination (client) computer after cloning.
Computers that run the Windows XP operating system use a security ID (SID) as a unique identifier. If you use disk-duplication software, you must ensure the uniqueness of these security IDs. When Windows XP is installed, a machine SID is configured to contain a statistically unique 96-bit number. The machine SID prefixes the SIDs of user accounts and group accounts that are created on the computer. The machine SID is concatenated with the relative ID (RID) of the account to create the account's unique identifier.

41. HKEY_CURRENT_CONFIG Current hardware profile
From HKLM\System\CurrentControlSet\Hardware Profiles\Current

42. Windows Registry Wealth of investigative information Registered Owner
Registered Organization
Shutdown Time
Recent DOCs
Most Recent Used (MRU) List
Typed URLs
Previous Devices Mounted
Software Installed

43. Registry Tools Registry Reader: Access Data Encase Windows
Regedit
Regedt32
Freeware tools
Never work on the original
Make a copy

44. Registry Locations
See system files: file explorer -> tools -> folder options -> view
Windows NT, 2000, XP, and Server 2003
The following Registry files are stored in %SystemRoot%\System32\Config\:
Sam – HKEY_LOCAL_MACHINE\SAM
Security – HKEY_LOCAL_MACHINE\SECURITY
Software – HKEY_LOCAL_MACHINE\SOFTWARE
System – HKEY_LOCAL_MACHINE\SYSTEM
Default – HKEY_USERS\.DEFAULT
The following files are stored in each user's profile folder:
%UserProfile%\Ntuser.dat – HKEY_USERS\<User SID>
%UserProfile%\Local Settings\Application Data\Microsoft\Windows\Usrclass.dat (path is localized) – HKEY_USERS\<User SID>_Classes
Windows 95, 98, and Me
The registry files are named User.dat and System.dat and are stored in the C:\WINDOWS\ directory. In Windows ME Classes.dat was added.
Windows 3.11
The registry file is called Reg.dat and is stored in the C:\WINDOWS\ directory.

45. Outline More on recovering secret data FAT file system
Windows registry
NTFS file system

46. NTFS Each system component is a file - even system information
The most important file on NTFS is named MFT ( Master File Table) - the common table of files
Centralized directory of all remaining disk files and itself
Divided into records of the fixed size (usually 1 KBytes)
Each record corresponds to some file
The first 16 files are housekeeping with a fixed position; and they are inaccessible to the operating system;
They are named metafiles and the very first metafile is MFT itself
The second copy of the first 3 records, for reliability is stored exactly in the middle of the disk
The remaining MFT-file can be stored as well as any other file at any places of the disk

47. NTFS MFT is divided into records of the fixed size (usually 1 Kbytes)
Master Boot Record
Volume Boot record
NTFS file system is a distinguished achievement of structuring: each system component is a file - even system information. The most important file on NTFS is named MFT or Master File Table - the common table of files. It is situated in MFT area and is the centralized directory of all remaining disk files and itself. MFT is divided into records of the fixed size (usually 1 KBytes), and each record corresponds to some file. The first 16 files are housekeeping and they are inaccessible to the operating system. They are named metafiles and the very first metafile is MFT itself. These first 16 elements MFT are the only part of the disk having the fixed position. It is interesting that the second copy of the first 3 records, for reliability (they are very important) is stored exactly in the middle of the disk. The remaining MFT-file can be stored as well as any other file at any places of the disk. It is possible to re-establish its position with its own help using the basis - the first MFT element.

48. NTFS System Files (Metadata Files)
File Name
MFT Record
Purpose of the File
Master file table
$Mft
Contains one base file record
Master file table 2
$MftMirr 1
A duplicate image of the first three records of the MFT
Log file
$LogFile 2
Contains a list of transaction steps used for NTFS recoverability.
Volume
$Volume 3
Contains information about the volume
Attribute definitions
$AttrDef 4
A table of attribute names, numbers, and descriptions
Root file name index $ 5
The root folder
Cluster bitmap
$Bitmap 6
A representation of the volume showing which clusters are in use (one bit refers to one cluster)
Boot sector
$Boot 7
Includes the BIOS Parameter Block (BPB)
Bad cluster file
$BadClus 8
Contains bad clusters for the volume
Security file
$Secure 9
Contains unique security descriptors for all files within a volume
Upcase table
$Upcase 10
Converts lowercase characters to matching Unicode uppercase characters
NTFS extension file
$Extend 11
Used for various optional extensions
12–15
Reserved for future use
BIOS Parameter Block (BPB), BIOS parameter block (BPB) is a description of the physical medium (hard disk or floppy) that might be stored in a partition's Volume Boot Record. Filesystems

49. NTFS File Attributes Attribute Type Description Standard Information
Includes information such as timestamp and link count.
Attribute List
Lists the location of all attribute records that do not fit in the MFT record.
File Name
A repeatable attribute for both long and short file names. The long name of the file can be up to 255 Unicode characters. The short name is the 8.3, case-insensitive name for the file. Additional names, or hard links, required by POSIX can be included as additional file name attributes.
Security Descriptor
Describes who owns the file and who can access it.
Data
Contains file data. _DATA_ attribute that describes "data runs“, clusters used by the file
Object ID
A volume-unique file identifier. Used by the distributed link tracking service. Not all files have object identifiers.
Logged Tool Stream
Similar to a data stream, but operations are logged to the NTFS log file just like NTFS metadata changes. This is used by EFS.
Reparse Point
Used for volume mount points. They are also used by Installable File System (IFS) filter drivers to mark certain files as special to that driver.
Index Root
Used to implement folders and other indexes.
Index Allocation
Bitmap
Volume Information
Used only in the $Volume system file. Contains the volume version.
Volume Name
Used only in the $Volume system file. Contains the volume label.

50. Storing Files in NTFS $LogFile metadata file is updated
Transaction steps are logged
Used to “roll back” if necessary

51. Deleted File Parent directory MFT file record marked available
Index entry removed
$BITMAP attribute updated*
MFT file record marked available
MFT $BITMAP attribute Updated
$Bitmap Metadata file updated if non-resident clusters
Resident clusters: files can be stored within a MFT record
No-resident clusters: files cannot be stored within a MFT record
*If $BITMAP is being utilized due to a large directory
MFT record - Data still there until overwritten

52. Deleted File (Cont.) Index entry removed File Record Entry 6
File Record($BITMAP)
[Parent]
213
File Record
214
Directory Record (MYFILES)
Index entry removed
Index Entry (README.TXT)
Index Entry (MYFILE.HLP)
Index Entry (SYSTEM.DLL)
215
File Record (README.TXT)
[214]
216
File Record (MYFILE.HLP)
[214]
217
File Record (SYSTEM.DLL)
[214]
218
Directory Record (Recycler)
Index Entry (S xxxxxx)
219
Directory Record (S xxxxxx)
[218]
221

53. Deleted File (Cont.) MFT record marked available
File Record
Entry 6
File Record($BITMAP)
[Parent]
File Record
Entry
[Parent]
213
File Record
214
Directory Record (MYFILES)
MFT record marked available
Index Entry (README.TXT)
Index Entry (MYFILE.HLP)
Index Entry (SYSTEM.DLL)
215
File Record (README.TXT)
[214]
Offset 0x16 changed to 0x00
216
File Record (MYFILE.HLP)
[214]
217
File Record (SYSTEM.DLL)
[214]
218
Directory Record (Recycler)
Index Entry (S xxxxxx)
219
Directory Record (S xxxxxx)
[218]
221

54. $MFT Attribute Updated
File
Record
Header
$MFT
$DATA
$BITMAP
$STANDARD_
INFORMATION
The $bitmap attribute follows suit with the MFT entries. A one represents a used entry. In the example above, the first 16 entries are in use. The next 8 are not in use and so on. Notice the 5th byte. The bytes are read from right to left; therefore, the 33rd MFT entry is in use.
The bytes are read from right to left

55. File Deleted $Bitmap updated
File Record
File Record
Entry
Entry
[Parent]
[Parent] 6
File Record ($Bitmap)
213
File Record
214
Directory Record (MYFILES)
Index Entry (README.TXT)
$Bitmap updated
Index Entry (MYFILE.HLP)
Index Entry (SYSTEM.DLL)
215
File Record (README.TXT)
[214]
216
File Record (MYFILE.HLP)
[214]
The volume $Bitmap is updated to reflect the clusters are available
***note the MFT $bitmap attribute is also updated to reflect the MFT record entry is available.
217
File Record (SYSTEM.DLL)
[214]
218
Directory Record (Recycler)
Index Entry (S xxxxxx)
219
Directory Record (S xxxxxx)
[218]
221

56. Recovering Deleted Files
Software Tools
FTK Toolkits
GetDataback (Runtime)
R-studio
CIA Unerase
Etc
List tested tools here with web site info

57. Deleted vs “Recycled” Deleted or “Recycled” Sent to Recycle Bin
Deleted from the Recycle Bin
Deleted bypassing the Recycle Bin – shift+del

58. Win2K/XP Recycle Bin “Recycler” Folder for NTFS
Configure to see hidden and system files from explorer
SID named subdirectory contains:
INFO2
Desktop.ini
Place holder(s)
Use FTK Imager to load the Recycler folder for view
Drop the NT4 references (INFO) just put that info into notes….
INFO for NT4,
The NT Recycle Bin is very Similar to the WIN9X / ME Recycle Bin.
When an object is sent to the recycle bin, the MFT record for the deleted object is simply changed. The $Filename attribute is changed to:
- Change the filename to the placeholder name that appears in the recycle bin (placeholder format: D + drive letter + #)
- Change the record number of the parent directory from the old parent directory, to the sid-named directory in the recycler directory.
In the original PARENT DIRECTORY for that object, the index entry is removed (the data in that index entry may or may not actually get overwritten depending on a number of factors).
Placeholder numbering starts at 0 for NT4 (INFO), and at 1 for W2K (INFO2).
For every recycled object, an 800 byte entry is made in the INFO / INFO2 file.
Restore/Delete from Bin/Empty Bin Operation varies slightly between the INFO and INFO2 file
In NT4 (INFO), the index entry for the deleted file or directory is marked available in the parent directory’s MFT record when it is sent to the BIN.
Object restored: The placeholder is renamed back to it’s original name, and pointed at it’s original parent directory. Index entry created in parent directory. Index entry in sid-named directory removed. INFO entry is removed, INFO resized.
Object deleted: Placeholder MFT record marked deleted. INFO entry removed, INFO resized. $Bitmap meta file updated to reflect any non-resident clusters available.
Recycle Bin emptied: INFO and placeholders deleted, desktop.ini re-written
INFO2:Same as above except:
Object deleted from Bin: Same as INFO except INFO2 not resized.
Object restored: Same as INFO except INFO2 not resized
Recycle Bin emptied: Same as INFO except INFO2 is RE-WRITTEN to20 bytes instead of deleted. Because it is re-written, RAM slack will overwrite some of the data
The 800 byte entries in INFO and INFO2 are all non-resident.

59. NTFS Recycle Bin Called “recycled” in FAT32 partition
No SID folders in FAT32 Partition

60. Placeholder(s) Entry for each deleted item:
Hidden from view in GUI environment
Date & time unchanged from original file
If a subdirectory is deleted only one placeholder is made *

61. Placeholder(s) DC1.TXT DC2.JPG DC3.BMP
D<original drive letter><#>.<original extension>
DC1.TXT
DC2.JPG
DC3.BMP
Number system begins at boot up – based on the highest number currently in the info2 file. The numbering system resets to one when the recycle bin is emptied and after reboot.
For every deleted file, a “placeholder” is created in the recycled folder. Each placeholder actually IS the “deleted” file, hidden and renamed. The naming convention keeps the original extension (if present), the first character of the filename becomes “D”, the second character becomes the letter of the drive that the file was deleted from, followed by a sequential number (beginning with ‘1’). For example, the first file deleted from the C: drive (TEST1.TXT) would become:
DC1.TXT
Subsequent deleted files from the C: drive would become DC2, DC3 etc with the same extension as the original file prior to deletion.

62. INFO2 File 800 Byte Entry is made for each Recycled object
Recycled date
Original path and filename
Place holder drive letter and #
The Recycler folder is rewritten to 20 Bytes when the recycle bin is emptied.
The first 20 Bytes is the header of the INFO2 File.
Each entry is 800 bytes in length.
Bytes Length Description
00 – Bytes long INFO2 File Header
Structure of INFO2 entries:
Bytes          Length     Description 00 – 258      Variable       Char Path and File Name Unknown – Testing has not produced any values other than 00h
260 – 263    4 bytes Long    Index Number 264 – 267    4 bytes Long    Drive Letter (In Numeric starting with A = 0, B = 1, etc) 268 – 275    8 bytes Date/Time - Date of Deletion – in GMT
276 – Bytes Unknown
280 – Unicode char path and file name
798 – Unknown – Testing has not produced any values other than 00h.
NOTE: When an INFO (Windows NT) file is used, only FILES are sent to the BIN. If a subdirectory is deleted, an entry is made for each file that was in the subdirectory, containing the full path information necessary to rebuild it. The subdirectory itself is not protected in this case.
When an INFO2 file is used, and a subdirectory is deleted, only a single entry is made for the subdirectory.

63. INFO2 File (Cont.) Record Size ASCII File Name Record ID Deletion Time
Start of the Record
ASCII File Name
Record ID
Deletion Time
Drive Letter
Unicode File Name
File Size

64. Recycled date and time issue
Windows saves time stamps in “FILETIME” format. FILETIME format is the number of ticks, in 100ns increments, since 00:00 1 Jan, 1601 (UTC).
Recycle Bin tools (X-Ways Trace, IEHistory, Datalifter) will convert the time for you
Date / Time bin was last emptied could be relevant to an investigation
Need to ensure the tool your using is reporting back an accurate date.
For Example. The suspect’s computer is set to Pacific Standard Time (-8 GMT). The system clock read The info2 file converts that time to GMT. The time is stored in Hex as 2100.
Your forensic Machine is set to Eastern Standard Time (-5 GMT). You extract the Info2 file and process it with IEHistory. IE history converts the GMT time to EST. The result is Three hours different from the actual time the file was recycled.
Therefore, Ensure your forensic machine is set to the same time zone as the suspects machine. This info can be located in the susp[ect’s registry here:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation

65. Desktop.ini A folder configuration file
Created when Recycle Bin is created
Only modified if recycle bin is EMPTIED
All Date / Time information updated when bin is emptied

66. Recovering From Recycle Bin
When an object is sent to the recycle bin, the MFT record for the deleted object is simply changed. The $Filename attribute is changed to:
Change the filename to the placeholder name that appears in the recycle bin (placeholder format: D + drive letter + #)
Change the record number of the parent directory from the old parent directory, to the sid-named directory in the recycler directory.
Copy placeholders to separate drive
Copy INFO2 file; use utility to parse out date / time data
X-Ways Trace -
Datalifter
IE History

67. Summary
Deleting and formatting on a Hard Drive does not touch the data area
Often evidence can be found in deleted files, and the recycle bin
System clocks and default timezone settings are very important

68. Review What happens to deleted FAT files What about formatting?
What happens to deleted NTFS files?
Recovering deleted files

69. References Nathan Heald, http://dos.rsvs.net/DOSPAGE/DEBUG.HTM, 2008
IronGeek, ALT+NUMPAD ASCII Key Combos: The α and Ω of Creating Obscure Passwords, 2007
Description of the Microsoft Windows registry, August 12, 2005
Dmitrey Mikhailov, NTFS file system,
NTFS - New Technology File System designed for Windows NT, 2000, XP,
Brian Mork, Destroying Data on Magnetic Disks - Linux or Windows, 2005
How the Recycle Bin Stores Files, December 16, 2004
The Mysterious Recycle Bin,
Anders Svensson, Computer Forensics Applied to Windows NTFS Systems, April 2005
Keith J. Jones, Forensic Analysis of Microsoft Windows Recycle Bin Records, 5/6/03