91.580.203 Computer & Network Forensics Xinwen Fu Chapter 7/8 File Systems - Supplementary Materials

Outline More on recovering secret data FAT file system Rename files/directories Delete files/directories Copy files/directories Print files Format a disk FAT file system Windows registry NTFS file system

Renaming Files Rename files and/or file extensions Example: Rename extortion_letter.doc to fuzzy_bunny.jpg People looking for incriminating evidence probably won’t check a picture file called fuzzy_bunny.jpg

Rename Files (Cont.) File header implies the file type Check the real file type by hex editor WinHex or XVI32 File type 424D - .bmp D0CF - .doc

Copying Files Scenario #1: Copying a file to a floppy disk or hard disk If you run out of space, the pointer to the file is removed, but the data that was copied to the sectors is left in place Scenario #2: Computer crashes while copying a file Again, the file contents copied to the unallocated sectors will exist, but the pointer to the data will not have been created

Printing a File When printing a file, it is spooled to the hard disk before it is printed Spooling involves copying the file to a temporary location, printing it, then deleting it After the temporary file is deleted, the data still exists on disk Windows XP spool folder: C:\WINNT\System32\spool\PRINTERS Click Start, and then click Printers and Faxes On the File menu, click Server Properties Click the Advanced tab

Temporary Internet Files Internet explorer stores copies of webpages, images, and media for faster view later Default Windows XP Temporary Internet Files folder C:\Documents and Settings\fu\Local Settings\Temporary Internet Files Tools -> General -> Browsing history -> Settings -> View files

Formatting a Disk When a disk is quick formatted, the file table on the disk is cleared, but the data on the disk is left in place Again, similar to deleting all the files on a disk

Hiding Folders (DoS/Windows 95) Create files or directories with non-printable characters [1][2] Example: At a DOS prompt, type the character Alt-255 using the numeric keypad. This will insert a “blank space” character, but it is not an actual space If you show a directory listing, you can see the file/directory exists, but you might not know exactly how many “non-printing” characters exist, or their location within the file name You can still access the directory via the Windows Explorer and similar graphical tools

Attributes In Windows, set the “hidden” attribute on a file or directory Can still view files if the “Show hidden files and folders” option is checked in Windows Explorer Other tools may or may not display hidden files

Hiding Folders (Unix) In Unix, rename a file or directory starting with a “.” Example: mv important.doc .important.doc Can still be viewed by listing all files “ls –a” A Linux system for you to play with putty – mercury.cs.uml.edu user ???; passwd ???

Swap Space Swap Space (also called a page file) is used to increase the amount of memory available to the system The total memory available (real RAM and the swap space) is called virtual memory Information is constantly being written to memory, and therefore to the hard disk Information can then be extracted from this file

Core Dumps Core dumps are created on Unix systems when a process or program generates a fault The core dump will contain all the data from CPU registers and memory at the time of the fault Information can then be extracted from core dump

RAM Slack Cluster Size = 8 sectors File Cluster 2 RAM Slack is the area from the end of the file to the end of that sector. - Comes from RAM RAM Slack File slack potentially contains randomly selected bytes of data from computer memory. This happens because DOS/Windows normally writes in 512 byte blocks called sectors. Clusters are made up of blocks of sectors. If there is not enough data in the file to fill the last sector in a file, DOS/Windows makes up the difference by padding the remaining space with data from the memory buffers of the operating system. This randomly selected data from memory is called RAM Slack because it comes from the memory of the computer. RAM Slack can contain any information that may have been created, viewed, modified, downloaded or copied during work sessions that have occurred since the computer was last booted. Thus, if the computer has not been shut down for several days, the data stored in file slack can come from work sessions that occurred in the past. http://www.forensics-intl.com/def6.html

Residual Data Slack Cluster Size = 8 sectors File Cluster 2 RAM Slack Residual data slack is the area from the end of RAM slack to the end of the cluster – whatever was on the media before Residual Slack RAM slack pertains only to the last sector of a file. If additional sectors are needed to round out the block size for the last cluster assigned to the file, then a different type of slack is created. It is called drive slack and it is stored in the remaining sectors which might be needed by the operating system to derive the size needed to create the last cluster assigned to the file. Unlike RAM slack, which comes from memory, drive slack is padded with what was stored on the storage device before. Such data could contain remnants of previously deleted files or data from the format pattern associated with disk storage space that has yet to be used by the computer. NTI devotes quite a bit of time to the topic of file slack in its popular 5-Day Computer Forensics Course.

Slack Space A cluster is the smallest logical allocation unit A sector is the smallest physical allocation unit When files are deleted, both the deleted data and the data in slack space still exists When a file is wiped from the system (permanently removed), any data in the slack space still exists Wipe tool: EZ Wipe The data in the slack space will only be removed when it is overwritten, or it is explicitly removed A list of tools: Eraser, etc. It is important that you to understand the significance of file slack in computer-related investigations. Because file slack potentially contains data dumped randomly from the computer's memory, it is possible to identify network logon names, passwords and other sensitive information associated with computer usage. File slack can also be analyzed to identify prior uses of the subject computer and such legacy data can help the computer forensics investigator. File slack is not a trivial item. On large hard disk drives, file slack can involve several hundred megabytes of data. Fragments of prior E-Mail messages and word processing documents can be found in file slack. From a computer forensic standpoint, file slack is very important as both a source of computer evidence and security risks

FTK Imager to Check Deleted Files File -> Add Evidence Item -> Physical Drive In class exercise Create a file Delete the file and empty recycler Use FTK imager to load the drive and check the

Outline More on recovering secret data FAT file system Write Delete Reformat Windows registry NTFS file system

What areas change when a FILE is written? Writing a file What areas change when a FILE is written? MBR VBR FILE FAT1 FILE FAT1 FILE FAT1 FILE FAT2 FAT2 Reserved Area FAT2 The File Allocation Table (FAT) is a list of entries that map to each cluster on the partition. Each entry records one of five things: the address of the next cluster in a chain a special end of file (EOF) character that indicates the end of a chain a special character to mark a bad cluster a special character to mark a reserved cluster a zero to note that that cluster is unused A directory table is a special type of file that represents a directory (nowadays commonly known as a folder). Each file or directory stored within it is represented by a 32 byte entry in the table. Each entry records the name, extension, attributes (archive, directory, hidden, read-only, system and volume), the date and time of creation, the address of the first cluster of the file/directory's data and finally the size of the file/directory. Aside from the Root Directory Table in FAT12 and FAT16 file systems which occupies the special Root Directory Region location, all Directory Tables are stored in the Data Region. Root C Root C Root C Root C VBR: Volume Boot Record

File Allocation Table (FAT) A list of entries that map to each cluster on the partition. Each entry records one of five things: the address of the next cluster in a chain a special end of file (EOF) character that indicates the end of a chain a special character to mark a bad cluster a special character to mark a reserved cluster a zero to note that that cluster is unused

Directory Table A special type of file that represents a directory (nowadays commonly known as a folder) Each file or directory stored within it is represented by a 32 byte entry in the table. Each entry records name, extension, attributes (archive, directory, hidden, read-only, system and volume), the date and time of creation, the address of the first cluster of the file/directory's data and finally the size of the file/directory. Aside from the Root Directory Table in FAT12 and FAT16 file systems which occupies the special Root Directory Region location, all Directory Tables are stored in the Data Region

What areas change when a FILE is written? Directory entry is created Writing a file What areas change when a FILE is written? MBR VBR FILE FAT1 FILE FAT1 FILE FAT1 FILE FAT2 FAT2 Reserved Area FAT2 Root C Directory entry is created Root C Filename Start Cluster Size FILE 2 1024 Unused Directory Entry Root C Root C

What areas change when a FILE is written? Directory entry is created Writing a file What areas change when a FILE is written? FATs are updated MBR VBR FILE 2 E 6 10 3 7 11 4 8 12 5 9 13 FAT1 FILE FAT1 FILE FAT1 FILE FAT2 FAT2 Reserved Area FAT2 Root C Directory entry is created Root C Filename Start Cluster Size FILE 2 1024 Unused Directory Entry Root C Root C

Writing a file What areas change when a FILE is written? Reserved Area FILE contents written to data area What areas change when a FILE is written? FATs are updated MBR VBR FILE 2 E 6 10 3 7 11 4 8 12 5 9 13 FAT1 FILE FAT1 FILE FAT1 FILE FAT2 FAT2 Reserved Area FAT2 Root C Directory entry is created Root C Filename Start Cluster Size FILE 2 1024 Unused Directory Entry Root C Root C

What areas change when a FILE is deleted? Deleting a file What areas change when a FILE is deleted? MBR VBR FILE FAT1 FILE FAT1 FILE FAT1 FILE FAT2 FAT2 Reserved Area FAT2 Root C Root C Root C Root C

First character of the Directory entry is changed to  (0xe5) Deleting a file MBR VBR FILE FAT1 FILE FAT1 FILE FAT1 FILE FAT2 FAT2 First character of the Directory entry is changed to  (0xe5) Reserved Area FAT2 Root C Root C Filename Start Cluster Size  ILE 2 1024 Unused Directory Entry Root C Root C

First character of the Directory entry is changed to  Deleting a file FAT entries are ed 6 10 3 7 11 4 8 12 5 9 13 2 MBR VBR FILE FAT1 FILE FAT1 FILE FAT1 FILE FAT2 FAT2 Reserved Area FAT2 First character of the Directory entry is changed to  Root C Root C Filename Start Cluster Size  ILE 2 1024 Unused Directory Entry Root C Root C

Deleting a file Reserved Area Data area is not changed !  ILE 2 1024 FAT entries are ed 6 10 3 7 11 4 8 12 5 9 13 2 MBR VBR FILE FAT1 FILE FAT1 FILE FAT1 FILE FAT2 FAT2 Reserved Area FAT2 First character of the Directory entry is changed to  Root D Root D Filename Start Cluster Size  ILE 2 1024 Unused Directory Entry Root D Root D

What areas change when a partition is reformatted? Reformatting (DOS 6.22) What areas change when a partition is reformatted? MBR VBR FILE FAT1 FILE FAT1 FILE FAT1 FILE FAT2 FAT2 Reserved Area FAT2 Root C Root C Root C Root C http://www.increa.com/articles/DestroyMagneticData/index.htm

Three areas change when a partition is reformatted Reformatting Three areas change when a partition is reformatted MBR VBR FILE FAT1 FILE FAT1 FILE FAT1 FILE FAT2 FAT2 Reserved Area FAT2 Filename Start Cluster Size Unused Directory Entry Root Directory entries are ed Root C Root C Root C Root C

Three areas change when a partition is reformatted Reformatting Three areas change when a partition is reformatted FAT entries are ed MBR VBR FILE FAT1 FILE 2 3 4 5 FAT1 FILE 6 7 8 9 FAT1 FILE FAT2 10 11 12 13 FAT2 Reserved Area FAT2 Filename Start Cluster Size Unused Directory Entry Root Directory entries are ed Root C Root C Root C Root C

Three areas change when a partition is reformatted Reformatting Three areas change when a partition is reformatted FAT entries are ed Boot Record is written MBR VBR FILE FAT1 FILE 2 3 4 5 FAT1 FILE 6 7 8 9 FAT1 FILE FAT2 10 11 12 13 FAT2 Reserved Area FAT2 Filename Start Cluster Size Unused Directory Entry Root Directory entries are ed Root C Root C Root C Root C

Reformatting Data area is not changed Three areas change when a partition is reformatted FAT entries are ed Boot Record is written MBR VBR FILE FAT1 FILE 2 3 4 5 FAT1 FILE 6 7 8 9 FAT1 FILE Data area is not changed FAT2 10 11 12 13 FAT2 Reserved Area FAT2 Filename Start Cluster Size Unused Directory Entry Root Directory entries are ed Root C Root C Root C Root C

Outline More on recovering secret data FAT file system Windows registry NTFS file system

Windows Registry What is it: A central hierarchical database to store information necessary to configure the system for one or more users, applications and hardware devices Replaces AUTOEXEC.BAT, CONFIG.SYS and INI files First introduced in Windows 3.1 for storing OLE Settings (pre 1995) View Windows Registry: regedit or Ice Sword OLE: Object Linking and Embedding

Windows Registry There are five root keys HKEY_CLASSES_ROOT (HKCR) HKEY_CURRENT_USER (HKCU) HKEY_LOCAL_MACHINE (HKLM) HKEY_USERS (HKU) HKEY_CURRENT_CONFIG (HKCC)

Two are “Master” keys HKEY_LOCAL_MACHINE (HKLM) HKEY_USERS (HKU) Configuration data describing hardware and software installed on the computer HKEY_USERS (HKU) Configuration data for each user that logs into the computer http://www.antirootkit.com/software/IceSword.htm

Three are derived from “Master” keys Architecture HKEY_CLASSES_ROOT File Associations and OLE HKEY_CURRENT_USER Currently logged on user HKEY_CURRENT_CONFIG Current hardware profile OLE: Abbreviation of Object Linking and Embedding, pronounced as separate letters or as oh-leh. OLE is a compound document standard developed by Microsoft Corporation. It enables you to create objects with one application and then link or embed them in a second application. Embedded objects retain their original format and links to the application that created them.

HKEY_CLASSES_ROOT File Associations and OLE From HKLM\Software\Classes

HKEY_CURRENT_USER Currently logged on user http://support.microsoft.com/kb/154599 HKEY_CURRENT_USER Currently logged on user From HKU\SID (security identifier) of current user User vs SID: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList Because Windows NT/2000/XP networks use each computer's SID (Security Identifier) and computer name to uniquely identify the computer on the network, you must change the SID and computer name on each destination (client) computer after cloning. Computers that run the Windows XP operating system use a security ID (SID) as a unique identifier. If you use disk-duplication software, you must ensure the uniqueness of these security IDs. When Windows XP is installed, a machine SID is configured to contain a statistically unique 96-bit number. The machine SID prefixes the SIDs of user accounts and group accounts that are created on the computer. The machine SID is concatenated with the relative ID (RID) of the account to create the account's unique identifier. http://en.wikipedia.org/wiki/Security_Identifier http://support.microsoft.com/kb/243330

HKEY_CURRENT_CONFIG Current hardware profile From HKLM\System\CurrentControlSet\Hardware Profiles\Current

Windows Registry Wealth of investigative information Registered Owner Registered Organization Shutdown Time Recent DOCs Most Recent Used (MRU) List Typed URLs Previous Devices Mounted Software Installed http://support.microsoft.com/kb/256986/EN-US/

Registry Tools Registry Reader: Access Data Encase Windows Regedit Regedt32 Freeware tools Never work on the original Make a copy

Registry Locations See system files: file explorer -> tools -> folder options -> view Windows NT, 2000, XP, and Server 2003 The following Registry files are stored in %SystemRoot%\System32\Config\: Sam – HKEY_LOCAL_MACHINE\SAM Security – HKEY_LOCAL_MACHINE\SECURITY Software – HKEY_LOCAL_MACHINE\SOFTWARE System – HKEY_LOCAL_MACHINE\SYSTEM Default – HKEY_USERS\.DEFAULT The following files are stored in each user's profile folder: %UserProfile%\Ntuser.dat – HKEY_USERS\<User SID> %UserProfile%\Local Settings\Application Data\Microsoft\Windows\Usrclass.dat (path is localized) – HKEY_USERS\<User SID>_Classes Windows 95, 98, and Me The registry files are named User.dat and System.dat and are stored in the C:\WINDOWS\ directory. In Windows ME Classes.dat was added. Windows 3.11 The registry file is called Reg.dat and is stored in the C:\WINDOWS\ directory.

Outline More on recovering secret data FAT file system Windows registry NTFS file system

NTFS Each system component is a file - even system information The most important file on NTFS is named MFT ( Master File Table) - the common table of files Centralized directory of all remaining disk files and itself Divided into records of the fixed size (usually 1 KBytes) Each record corresponds to some file The first 16 files are housekeeping with a fixed position; and they are inaccessible to the operating system; They are named metafiles and the very first metafile is MFT itself The second copy of the first 3 records, for reliability is stored exactly in the middle of the disk The remaining MFT-file can be stored as well as any other file at any places of the disk

NTFS MFT is divided into records of the fixed size (usually 1 Kbytes) Master Boot Record Volume Boot record NTFS file system is a distinguished achievement of structuring: each system component is a file - even system information. The most important file on NTFS is named MFT or Master File Table - the common table of files. It is situated in MFT area and is the centralized directory of all remaining disk files and itself. MFT is divided into records of the fixed size (usually 1 KBytes), and each record corresponds to some file. The first 16 files are housekeeping and they are inaccessible to the operating system. They are named metafiles and the very first metafile is MFT itself. These first 16 elements MFT are the only part of the disk having the fixed position. It is interesting that the second copy of the first 3 records, for reliability (they are very important) is stored exactly in the middle of the disk. The remaining MFT-file can be stored as well as any other file at any places of the disk. It is possible to re-establish its position with its own help using the basis - the first MFT element.

NTFS System Files (Metadata Files) File Name MFT Record Purpose of the File Master file table $Mft Contains one base file record Master file table 2 $MftMirr 1 A duplicate image of the first three records of the MFT Log file $LogFile 2 Contains a list of transaction steps used for NTFS recoverability. Volume $Volume 3 Contains information about the volume Attribute definitions $AttrDef 4 A table of attribute names, numbers, and descriptions Root file name index $ 5 The root folder Cluster bitmap $Bitmap 6 A representation of the volume showing which clusters are in use (one bit refers to one cluster) Boot sector $Boot 7 Includes the BIOS Parameter Block (BPB) Bad cluster file $BadClus 8 Contains bad clusters for the volume Security file $Secure 9 Contains unique security descriptors for all files within a volume Upcase table $Upcase 10 Converts lowercase characters to matching Unicode uppercase characters NTFS extension file $Extend 11 Used for various optional extensions   12–15 Reserved for future use BIOS Parameter Block (BPB), BIOS parameter block (BPB) is a description of the physical medium (hard disk or floppy) that might be stored in a partition's Volume Boot Record. Filesystems

NTFS File Attributes Attribute Type Description Standard Information Includes information such as timestamp and link count. Attribute List Lists the location of all attribute records that do not fit in the MFT record. File Name A repeatable attribute for both long and short file names. The long name of the file can be up to 255 Unicode characters. The short name is the 8.3, case-insensitive name for the file. Additional names, or hard links, required by POSIX can be included as additional file name attributes. Security Descriptor Describes who owns the file and who can access it. Data Contains file data. _DATA_ attribute that describes "data runs“, clusters used by the file Object ID A volume-unique file identifier. Used by the distributed link tracking service. Not all files have object identifiers. Logged Tool Stream Similar to a data stream, but operations are logged to the NTFS log file just like NTFS metadata changes. This is used by EFS. Reparse Point Used for volume mount points. They are also used by Installable File System (IFS) filter drivers to mark certain files as special to that driver. Index Root Used to implement folders and other indexes. Index Allocation Bitmap Volume Information Used only in the $Volume system file. Contains the volume version. Volume Name Used only in the $Volume system file. Contains the volume label.

Storing Files in NTFS $LogFile metadata file is updated Transaction steps are logged Used to “roll back” if necessary

Deleted File Parent directory MFT file record marked available Index entry removed $BITMAP attribute updated* MFT file record marked available MFT $BITMAP attribute Updated $Bitmap Metadata file updated if non-resident clusters Resident clusters: files can be stored within a MFT record No-resident clusters: files cannot be stored within a MFT record *If $BITMAP is being utilized due to a large directory MFT record - Data still there until overwritten

Deleted File (Cont.) Index entry removed File Record Entry 6 File Record($BITMAP) [Parent] 213 File Record 214 Directory Record (MYFILES) Index entry removed Index Entry (README.TXT) Index Entry (MYFILE.HLP) Index Entry (SYSTEM.DLL) 215 File Record (README.TXT) [214] 216 File Record (MYFILE.HLP) [214] 217 File Record (SYSTEM.DLL) [214] 218 Directory Record (Recycler) Index Entry (S-1-5-21-3xxxxxx) 219 Directory Record (S-1-5-21-3xxxxxx) [218] 221

Deleted File (Cont.) MFT record marked available File Record Entry 6 File Record($BITMAP) [Parent] File Record Entry [Parent] 213 File Record 214 Directory Record (MYFILES) MFT record marked available Index Entry (README.TXT) Index Entry (MYFILE.HLP) Index Entry (SYSTEM.DLL) 215 File Record (README.TXT) [214] Offset 0x16 changed to 0x00 216 File Record (MYFILE.HLP) [214] 217 File Record (SYSTEM.DLL) [214] 218 Directory Record (Recycler) Index Entry (S-1-5-21-3xxxxxx) 219 Directory Record (S-1-5-21-3xxxxxx) [218] 221

$MFT Attribute Updated File Record Header $MFT $DATA $BITMAP $STANDARD_ INFORMATION 11111111 11111111 00000000 11100111 00000001 00000000 00000000 00000000 00000000 The $bitmap attribute follows suit with the MFT entries. A one represents a used entry. In the example above, the first 16 entries are in use. The next 8 are not in use and so on. Notice the 5th byte. The bytes are read from right to left; therefore, the 33rd MFT entry is in use. The bytes are read from right to left

File Deleted $Bitmap updated File Record File Record Entry Entry [Parent] [Parent] 6 File Record ($Bitmap) 213 File Record 214 Directory Record (MYFILES) Index Entry (README.TXT) $Bitmap updated Index Entry (MYFILE.HLP) Index Entry (SYSTEM.DLL) 215 File Record (README.TXT) [214] 216 File Record (MYFILE.HLP) [214] The volume $Bitmap is updated to reflect the clusters are available ***note the MFT $bitmap attribute is also updated to reflect the MFT record entry is available. 217 File Record (SYSTEM.DLL) [214] 218 Directory Record (Recycler) Index Entry (S-1-5-21-3xxxxxx) 219 Directory Record (S-1-5-21-3xxxxxx) [218] 221

Recovering Deleted Files Software Tools FTK Toolkits GetDataback (Runtime) R-studio CIA Unerase Etc List tested tools here with web site info

Deleted vs “Recycled” Deleted or “Recycled” Sent to Recycle Bin Deleted from the Recycle Bin Deleted bypassing the Recycle Bin – shift+del

Win2K/XP Recycle Bin “Recycler” Folder for NTFS Configure to see hidden and system files from explorer SID named subdirectory contains: INFO2 Desktop.ini Place holder(s) Use FTK Imager to load the Recycler folder for view Drop the NT4 references (INFO) just put that info into notes…. INFO for NT4, The NT Recycle Bin is very Similar to the WIN9X / ME Recycle Bin. When an object is sent to the recycle bin, the MFT record for the deleted object is simply changed. The $Filename attribute is changed to: - Change the filename to the placeholder name that appears in the recycle bin (placeholder format: D + drive letter + #) - Change the record number of the parent directory from the old parent directory, to the sid-named directory in the recycler directory. In the original PARENT DIRECTORY for that object, the index entry is removed (the data in that index entry may or may not actually get overwritten depending on a number of factors). Placeholder numbering starts at 0 for NT4 (INFO), and at 1 for W2K (INFO2). For every recycled object, an 800 byte entry is made in the INFO / INFO2 file. Restore/Delete from Bin/Empty Bin Operation varies slightly between the INFO and INFO2 file In NT4 (INFO), the index entry for the deleted file or directory is marked available in the parent directory’s MFT record when it is sent to the BIN. Object restored: The placeholder is renamed back to it’s original name, and pointed at it’s original parent directory. Index entry created in parent directory. Index entry in sid-named directory removed. INFO entry is removed, INFO resized. Object deleted: Placeholder MFT record marked deleted. INFO entry removed, INFO resized. $Bitmap meta file updated to reflect any non-resident clusters available. Recycle Bin emptied: INFO and placeholders deleted, desktop.ini re-written INFO2:Same as above except: Object deleted from Bin: Same as INFO except INFO2 not resized. Object restored: Same as INFO except INFO2 not resized Recycle Bin emptied: Same as INFO except INFO2 is RE-WRITTEN to20 bytes instead of deleted. Because it is re-written, RAM slack will overwrite some of the data The 800 byte entries in INFO and INFO2 are all non-resident.

NTFS Recycle Bin Called “recycled” in FAT32 partition No SID folders in FAT32 Partition

Placeholder(s) Entry for each deleted item: Hidden from view in GUI environment Date & time unchanged from original file If a subdirectory is deleted only one placeholder is made *

Placeholder(s) DC1.TXT DC2.JPG DC3.BMP D<original drive letter><#>.<original extension> DC1.TXT DC2.JPG DC3.BMP Number system begins at boot up – based on the highest number currently in the info2 file. The numbering system resets to one when the recycle bin is emptied and after reboot. For every deleted file, a “placeholder” is created in the recycled folder. Each placeholder actually IS the “deleted” file, hidden and renamed. The naming convention keeps the original extension (if present), the first character of the filename becomes “D”, the second character becomes the letter of the drive that the file was deleted from, followed by a sequential number (beginning with ‘1’). For example, the first file deleted from the C: drive (TEST1.TXT) would become: DC1.TXT Subsequent deleted files from the C: drive would become DC2, DC3 etc with the same extension as the original file prior to deletion.

INFO2 File 800 Byte Entry is made for each Recycled object Recycled date Original path and filename Place holder drive letter and # The Recycler folder is rewritten to 20 Bytes when the recycle bin is emptied. The first 20 Bytes is the header of the INFO2 File. Each entry is 800 bytes in length. Bytes Length Description 00 – 19 20 Bytes long INFO2 File Header Structure of INFO2 entries: Bytes          Length     Description 00 – 258      Variable       Char Path and File Name 259 Unknown – Testing has not produced any values other than 00h 260 – 263    4 bytes Long    Index Number 264 – 267    4 bytes Long    Drive Letter (In Numeric starting with A = 0, B = 1, etc) 268 – 275    8 bytes Date/Time - Date of Deletion – in GMT 276 – 279 4 Bytes Unknown 280 – 797 Unicode char path and file name 798 – 799 Unknown – Testing has not produced any values other than 00h. NOTE: When an INFO (Windows NT) file is used, only FILES are sent to the BIN. If a subdirectory is deleted, an entry is made for each file that was in the subdirectory, containing the full path information necessary to rebuild it. The subdirectory itself is not protected in this case. When an INFO2 file is used, and a subdirectory is deleted, only a single entry is made for the subdirectory.

INFO2 File (Cont.) Record Size ASCII File Name Record ID Deletion Time Start of the Record ASCII File Name Record ID Deletion Time Drive Letter Unicode File Name File Size

Recycled date and time issue Windows saves time stamps in “FILETIME” format. FILETIME format is the number of ticks, in 100ns increments, since 00:00 1 Jan, 1601 (UTC). Recycle Bin tools (X-Ways Trace, IEHistory, Datalifter) will convert the time for you Date / Time bin was last emptied could be relevant to an investigation Need to ensure the tool your using is reporting back an accurate date. For Example. The suspect’s computer is set to Pacific Standard Time (-8 GMT). The system clock read 1300. The info2 file converts that time to GMT. The time is stored in Hex as 2100. Your forensic Machine is set to Eastern Standard Time (-5 GMT). You extract the Info2 file and process it with IEHistory. IE history converts the GMT time to EST. The result is 1800. Three hours different from the actual time the file was recycled. Therefore, Ensure your forensic machine is set to the same time zone as the suspects machine. This info can be located in the susp[ect’s registry here: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation

Desktop.ini A folder configuration file Created when Recycle Bin is created Only modified if recycle bin is EMPTIED All Date / Time information updated when bin is emptied http://www.xs4all.nl/~hwiegman/desktopini.html

Recovering From Recycle Bin When an object is sent to the recycle bin, the MFT record for the deleted object is simply changed. The $Filename attribute is changed to: Change the filename to the placeholder name that appears in the recycle bin (placeholder format: D + drive letter + #) Change the record number of the parent directory from the old parent directory, to the sid-named directory in the recycler directory. Copy placeholders to separate drive Copy INFO2 file; use utility to parse out date / time data X-Ways Trace - http://www.x-ways.net/trace/index-m.html Datalifter IE History

Summary Deleting and formatting on a Hard Drive does not touch the data area Often evidence can be found in deleted files, and the recycle bin System clocks and default timezone settings are very important

Review What happens to deleted FAT files What about formatting? What happens to deleted NTFS files? Recovering deleted files

References Nathan Heald, http://dos.rsvs.net/DOSPAGE/DEBUG.HTM, 2008 IronGeek, ALT+NUMPAD ASCII Key Combos: The α and Ω of Creating Obscure Passwords, 2007 Description of the Microsoft Windows registry, http://support.microsoft.com/kb/256986/EN-US/, August 12, 2005 Dmitrey Mikhailov, NTFS file system, http://www.digit-life.com/articles/ntfs/, 2004 NTFS - New Technology File System designed for Windows NT, 2000, XP, http://www.ntfs.com/, 2005 Brian Mork, Destroying Data on Magnetic Disks - Linux or Windows, 2005 How the Recycle Bin Stores Files, http://support.microsoft.com/kb/136517/en-us, December 16, 2004 The Mysterious Recycle Bin, http://www.infocellar.com/winxp/Recycle-Bin.htm, 2006 Anders Svensson, Computer Forensics Applied to Windows NTFS Systems, http://www.dsv.su.se/research/seclab/pages/pdf-files/2005-x-268.pdf, April 2005 Keith J. Jones, Forensic Analysis of Microsoft Windows Recycle Bin Records, http://www.e-fense.com/helix/Docs/Recycler_Bin_Record_Reconstruction.pdf, 5/6/03