tag:blogger.com,1999:blog-89854331759440271342024-02-07T02:04:52.750+00:00DanDoesDFIR blogDan Englishhttp://www.blogger.com/profile/16854986350889271443noreply@blogger.comBlogger2125tag:blogger.com,1999:blog-8985433175944027134.post-25039795245338244582018-09-16T10:00:00.000+01:002018-09-16T10:00:06.629+01:00An intro to the Windows Recycle BinThe recycle bin is a very well known feature of the Windows operating system and has appeared in almost every version (It first appeared in Windows 95).<br />
<br />
The recycle bin is where files and folders go once they have been deleted. However, there are 4 reasons why a deleted file may not get sent to the system Recycle Bin:<br />
<br />
<ul>
<li> If the Recycle Bin on the system is disabled</li>
<li> If the deleted file is larger in size than the Recycle Bin itself</li>
<li> f the command-prompt was used to delete the file</li>
<li> If the <span style="font-family: "courier new" , "courier" , monospace;">SHIFT</span> key was held when deleting the file/folder</li>
</ul>
<br />
As you can expect, the Recycle Bin is one of the places on a computer that is typically always checked during a forensic investigation. If someone has been doing something wrong, there's a good chance they'll attempt to delete the evidence and if it wasn't deleted in one of the ways detailed above, it'll end up in the Recycle Bin.<br />
<br />
In this post I'll explain the Recycle Bin and the types of artefacts it gives us as forensic investigators.<br />
<br />
<h2>
Naming conventions</h2>
If you've ever looked at the Recycle Bin in a forensic image or on your own drive you might have noticed the being labelled as <span style="font-family: "courier new" , "courier" , monospace;">$Recycle.Bin</span> or <span style="font-family: "courier new" , "courier" , monospace;">$RECYCLE.BIN</span><br />
<br />
The '<span style="font-family: "courier new" , "courier" , monospace;">$</span><span style="font-family: inherit;">'</span> symbol indicates it's a system folder so that will always be there but is why the different cases?<br />
<br />
The distinction is actually really simple. The CamelCase style will always be given to the Bin on the same drive as Windows and the other uppercase name is used for any Bins stored on secondary drives.<br />
<br />
<h2>
What's inside the bin?</h2>
Windows is a multi-user operating system and as such, each user on the computer will have their own Recycle Bin. But how does Windows know which deleted files belong to which user?<br />
<br />
Inside the root Recycle Bin folder, additional folders can be found - one for each user on the operating system. If you had 5 users on your computer, you would find 5 folders here. On my analysis machine I only have one user and so there is only one folder.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhuQa_zbPGuCYQI7XelwXpfvKvFl9FjpU-0fu_hbSyft-mAHU_TrDSxoJAt-GJmJJksqs779LuAHS0z8KFiuvwB9YQYC6R2tFhZsdhDcK3JtuCgaLOYtCvnDvRP9cYkVGDdsP-eUpHE-gU/s1600/01.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="54" data-original-width="336" height="63" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhuQa_zbPGuCYQI7XelwXpfvKvFl9FjpU-0fu_hbSyft-mAHU_TrDSxoJAt-GJmJJksqs779LuAHS0z8KFiuvwB9YQYC6R2tFhZsdhDcK3JtuCgaLOYtCvnDvRP9cYkVGDdsP-eUpHE-gU/s400/01.JPG" width="400" /></a></div>
<br />
<br />
Each folder here is named with the <a href="https://docs.microsoft.com/en-us/windows/desktop/SecAuthZ/security-identifiers">Security Identifier (SID)</a> for the user that 'owns' it. Inside the SID folder are the actual files that were deleted. Here's a sample of the files found in my Analysis machine Recycle Bin:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2rMd7QSYmesYPhwan5dwJJaG2Ts4nmw3Z7jYkJ7efT8QcKEJIbpwFBd0rDGA5E7cP7X7_cncYjboMADFyix7zD-fyshXB3X3F24snvNWidFoWtXb_NdAVfuFm9NEZ-NO9ISNWixnAxeY/s1600/02.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="462" data-original-width="274" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2rMd7QSYmesYPhwan5dwJJaG2Ts4nmw3Z7jYkJ7efT8QcKEJIbpwFBd0rDGA5E7cP7X7_cncYjboMADFyix7zD-fyshXB3X3F24snvNWidFoWtXb_NdAVfuFm9NEZ-NO9ISNWixnAxeY/s400/02.JPG" width="236" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />
Here, the file extensions are recognisable but the names of the files and folders are strange, some begin with <span style="font-family: "courier new" , "courier" , monospace;">$I</span>and others start with <span style="font-family: "courier new" , "courier" , monospace;">$R</span><br />
<br />
In fact each file is there twice with an 'I' and an 'R' , but what does this mean?<br />
<br />
<h2>
$I Files</h2>
The files in the Recycle Bin that begin with <span style="font-family: "courier new" , "courier" , monospace;">$I</span> are data files containing information about their 'R' partner.<br />
<br />
The information found in these 'I' files is certainly valuable and definitely worth investigating, however, unlike the INFO2 file from Windows XP's Recycle Bin, the data is not human readable. Below is how the contents of the file <span style="font-family: "courier new" , "courier" , monospace;">$IOBDDUQ.doc</span> looks when viewed with a Hex editor:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhyJMnIxzLoSjz-VCE1DB0wttmy_kWI6Fio0t4y88LigaqjvrZa4N04s5Pin1ly24xa4udOJVeU4sph-fQCXoQ-t0if9A_ogjAsx8YRDNbz_9v2rxndSqtxi0fppJVjTdCLQ9rhwYxbz_o/s1600/03.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="175" data-original-width="480" height="145" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhyJMnIxzLoSjz-VCE1DB0wttmy_kWI6Fio0t4y88LigaqjvrZa4N04s5Pin1ly24xa4udOJVeU4sph-fQCXoQ-t0if9A_ogjAsx8YRDNbz_9v2rxndSqtxi0fppJVjTdCLQ9rhwYxbz_o/s400/03.JPG" width="400" /></a></div>
<br />
<br />
To understand what is being presented we need to understand how the file is constructed:<br />
<br />
<h3>
0x0 to 0x07 - Header</h3>
These first 8 bytes are the file header. On Windows 10 systems this will always be '2'. Now we can identify operating systems from recycling bin files!<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjBUHO8StQgDK55U4RjyNGJL9oGrTCOp5qFqhaLJpNSt3JN592UDQHg796cp1_HTnMmBIAUy4dxJSnvBlREIaEDp0SA59jLw7VudFzJsF9ROb_2akfGJa2JQYN_5KCBl6mdrwyU0WAkzqs/s1600/09.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="78" data-original-width="771" height="64" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjBUHO8StQgDK55U4RjyNGJL9oGrTCOp5qFqhaLJpNSt3JN592UDQHg796cp1_HTnMmBIAUy4dxJSnvBlREIaEDp0SA59jLw7VudFzJsF9ROb_2akfGJa2JQYN_5KCBl6mdrwyU0WAkzqs/s640/09.JPG" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<br />
<h3>
0x08 to 0x15 - File Size</h3>
The next 8 bytes in the file contain the size (in bytes) of the original deleted file.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJ-6BRtRR04FcpkJJdHgXicmEVIpj90ExTMeJYp3eiCEs6aWaZZ-hKrhdFyqPq992aNzwYKJuM01lcgN5jB2zb13uTSYdoCNMTgKR4dbz7Tap0JONz5Qio-wvW3YPksKHbLpXjDhc6lI4/s1600/04.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="79" data-original-width="774" height="64" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJ-6BRtRR04FcpkJJdHgXicmEVIpj90ExTMeJYp3eiCEs6aWaZZ-hKrhdFyqPq992aNzwYKJuM01lcgN5jB2zb13uTSYdoCNMTgKR4dbz7Tap0JONz5Qio-wvW3YPksKHbLpXjDhc6lI4/s640/04.JPG" width="640" /></a></div>
<br />
<br />
The original document that the <span style="font-family: "courier new" , "courier" , monospace;">$IOBDDUQ.doc</span> file relates to was 41984 bytes in size.<br />
<br />
<h3>
0x16 to 0x23 - Deleted Date and Time</h3>
The next 8 bytes in the file contain the date and time that the original file was deleted - useful!<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEIaISH-t3moKJBxlx2zW78bi4W0l9xNiZzSa8TErfF73mVcw-_wD6YM_tN9RBOVqA86wFut03Z6RX3gajP6KItU7NTU_oitOjAPbFYic8x82IQYmVpyIJdxtDtJPahdMO8QVuBe1Rz2I/s1600/05.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="107" data-original-width="770" height="88" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEIaISH-t3moKJBxlx2zW78bi4W0l9xNiZzSa8TErfF73mVcw-_wD6YM_tN9RBOVqA86wFut03Z6RX3gajP6KItU7NTU_oitOjAPbFYic8x82IQYmVpyIJdxtDtJPahdMO8QVuBe1Rz2I/s640/05.JPG" width="640" /></a></div>
<br />
<br />
Using the image above you can see that the original file was deleted at 4:54PM on the 16th of February 2017.<br />
<br />
<h3>
0x24 to 0x27 - File Name Length</h3>
These 4 bytes in the file contain the length of the original file's name.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWjYVqopyTGUuNsgfh3R9cghCoA8aQUkgwK_-pS9rXhyXMRc3Nv-2SwtndOBG0jqUaO_lKbIjdRSKjRzXhMFnlLncudFjgHUEbm9X29nHSGcP9C6HTBhGarOnx81sdF52hFPEZ7QAbBys/s1600/06.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="80" data-original-width="766" height="64" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWjYVqopyTGUuNsgfh3R9cghCoA8aQUkgwK_-pS9rXhyXMRc3Nv-2SwtndOBG0jqUaO_lKbIjdRSKjRzXhMFnlLncudFjgHUEbm9X29nHSGcP9C6HTBhGarOnx81sdF52hFPEZ7QAbBys/s640/06.JPG" width="640" /></a></div>
<br />
<br />
The original file name was 69 characters long.<br />
<br />
<h3>
0x28 onwards - File Path and Name</h3>
The rest of the data in the <span style="font-family: "courier new" , "courier" , monospace;">$I</span> file is the file path and full name of the original file. This value will obviously be of variable length, depending on how long the path and file name was.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjykgBriyewT-HgwZTDJQoDXHyS80gXRN3XgoDWEzrNqNqRNaU5ALjnu8PHkXFWReu8tn2P2_jYpnI9pUP8-JWkSKfZW2P5AHr5mP8T8nVNnjSPoFMFuCyGI472-3-YY1EcdV66wxZb2Q/s1600/07.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="174" data-original-width="481" height="142" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjykgBriyewT-HgwZTDJQoDXHyS80gXRN3XgoDWEzrNqNqRNaU5ALjnu8PHkXFWReu8tn2P2_jYpnI9pUP8-JWkSKfZW2P5AHr5mP8T8nVNnjSPoFMFuCyGI472-3-YY1EcdV66wxZb2Q/s400/07.JPG" width="400" /></a></div>
<br />
<br />
You can see that the original path and name of the file was:<br />
<span style="font-family: "courier new" , "courier" , monospace;">D:\Dan\Downloads\Cyber Crime Investigator Placement Role Profile.doc</span><br />
<h2>
The $R Files</h2>
Simply, the <span style="font-family: "courier new" , "courier" , monospace;">$R</span> file is the complete original file!<br />
<br />
In this case, <span style="font-family: inherit;">it's</span> the full 'Cyber Crime Investigator Placement Role Profile.doc'. Using a hex editor it is possible to view the text contents of the file and a tool like <a href="https://technet.microsoft.com/en-us/sysinternals/strings.aspx">Strings</a> or the 'Find' feature in your analysis tool can be used to find specific information in the document such as the word 'Salary'.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgaIJg_m0hhaT88-VJY1vrhxqPqCh5XoWD1NSVNs9Q0o_82LSGwOYHrZ4tcIzEoZ4urvvKdyo4BTDfW1HBg6iM0DP81tmCAFJoQEiP8VtGYIyrFODISmfezpdhmqBBB_d7mHoHCHtd_4IM/s1600/08.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="247" data-original-width="489" height="201" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgaIJg_m0hhaT88-VJY1vrhxqPqCh5XoWD1NSVNs9Q0o_82LSGwOYHrZ4tcIzEoZ4urvvKdyo4BTDfW1HBg6iM0DP81tmCAFJoQEiP8VtGYIyrFODISmfezpdhmqBBB_d7mHoHCHtd_4IM/s400/08.JPG" width="400" /></a></div>
<br />
<br />
Thanks for reading this quick overview of the Windows 10 Recycle Bin and what sort of files you can expect to find in it.<br />
<br />
DanDan Englishhttp://www.blogger.com/profile/16854986350889271443noreply@blogger.com2tag:blogger.com,1999:blog-8985433175944027134.post-33347828522683327712018-09-15T23:26:00.005+01:002018-09-15T23:27:45.095+01:00Hello, World!Hello and welcome to my blog!<br />
<div>
<br /></div>
<div>
I'm currently a final year student in Forensic Computing. Throughout my studies I've learned <i>so much</i> from so many great people via blogs, tweets and podcasts that I think it's only right that I at least try and give back.</div>
<div>
<br /></div>
<div>
Digital Forensics is so massive and fast-paced that there's always fun stuff to learn and new artefacts and techniques are appearing all the time.</div>
<div>
<br /></div>
<div>
On this blog I hope to share interesting bits and pieces about digital forensics and, where I can, incident response.</div>
<div>
<br /></div>
<div>
Thanks for stopping by and I hope to publish some proper posts soon!</div>
<div>
<br /></div>
<div>
Dan</div>
Dan Englishhttp://www.blogger.com/profile/16854986350889271443noreply@blogger.com0