1 / 69

91.580.203 Computer Network Forensics

2. Outline. More on recovering secret dataRename files/directoriesDelete files/directoriesCopy files/directoriesPrint filesFormat a diskFAT file systemWindows registryNTFS file system. 3. Renaming Files. Rename files and/or file extensionsExample:Rename extortion_letter.doc to fuzzy_bunny.jpgPeople looking for incriminating evidence probably won't check a picture file called fuzzy_bunny.jpg.

ahanu
Download Presentation

91.580.203 Computer Network Forensics

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. 91.580.203 Computer & Network Forensics Xinwen Fu Chapter 7/8 File Systems - Supplementary Materials

    2. 2 Outline More on recovering secret data Rename files/directories Delete files/directories Copy files/directories Print files Format a disk FAT file system Windows registry NTFS file system

    3. 3 Renaming Files Rename files and/or file extensions Example: Rename extortion_letter.doc to fuzzy_bunny.jpg People looking for incriminating evidence probably won’t check a picture file called fuzzy_bunny.jpg

    4. 4 Rename Files (Cont.) File header implies the file type Check the real file type by hex editor WinHex or XVI32 File type 424D - .bmp D0CF - .doc

    5. 5 Copying Files Scenario #1: Copying a file to a floppy disk or hard disk If you run out of space, the pointer to the file is removed, but the data that was copied to the sectors is left in place Scenario #2: Computer crashes while copying a file Again, the file contents copied to the unallocated sectors will exist, but the pointer to the data will not have been created

    6. 6 Printing a File When printing a file, it is spooled to the hard disk before it is printed Spooling involves copying the file to a temporary location, printing it, then deleting it After the temporary file is deleted, the data still exists on disk Windows XP spool folder: C:\WINNT\System32\spool\PRINTERS Click Start, and then click Printers and Faxes On the File menu, click Server Properties Click the Advanced tab

    7. 7 Temporary Internet Files Internet explorer stores copies of webpages, images, and media for faster view later Default Windows XP Temporary Internet Files folder C:\Documents and Settings\fu\Local Settings\Temporary Internet Files Tools -> General -> Browsing history -> Settings -> View files

    8. 8 Formatting a Disk When a disk is quick formatted, the file table on the disk is cleared, but the data on the disk is left in place Again, similar to deleting all the files on a disk

    9. 9 Hiding Folders (DoS/Windows 95) Create files or directories with non-printable characters [1][2] Example: At a DOS prompt, type the character Alt-255 using the numeric keypad. This will insert a “blank space” character, but it is not an actual space If you show a directory listing, you can see the file/directory exists, but you might not know exactly how many “non-printing” characters exist, or their location within the file name You can still access the directory via the Windows Explorer and similar graphical tools

    10. 10 Attributes In Windows, set the “hidden” attribute on a file or directory Can still view files if the “Show hidden files and folders” option is checked in Windows Explorer Other tools may or may not display hidden files

    11. 11 Hiding Folders (Unix) In Unix, rename a file or directory starting with a “.” Example: mv important.doc .important.doc Can still be viewed by listing all files “ls –a” A Linux system for you to play with putty – mercury.cs.uml.edu user ???; passwd ???

    12. 12 Swap Space Swap Space (also called a page file) is used to increase the amount of memory available to the system The total memory available (real RAM and the swap space) is called virtual memory Information is constantly being written to memory, and therefore to the hard disk Information can then be extracted from this file

    13. 13 Core Dumps Core dumps are created on Unix systems when a process or program generates a fault The core dump will contain all the data from CPU registers and memory at the time of the fault Information can then be extracted from core dump

    14. 14 File slack potentially contains randomly selected bytes of data from computer memory. This happens because DOS/Windows normally writes in 512 byte blocks called sectors. Clusters are made up of blocks of sectors. If there is not enough data in the file to fill the last sector in a file, DOS/Windows makes up the difference by padding the remaining space with data from the memory buffers of the operating system. This randomly selected data from memory is called RAM Slack because it comes from the memory of the computer. RAM Slack can contain any information that may have been created, viewed, modified, downloaded or copied during work sessions that have occurred since the computer was last booted. Thus, if the computer has not been shut down for several days, the data stored in file slack can come from work sessions that occurred in the past. File slack potentially contains randomly selected bytes of data from computer memory. This happens because DOS/Windows normally writes in 512 byte blocks called sectors. Clusters are made up of blocks of sectors. If there is not enough data in the file to fill the last sector in a file, DOS/Windows makes up the difference by padding the remaining space with data from the memory buffers of the operating system. This randomly selected data from memory is called RAM Slack because it comes from the memory of the computer. RAM Slack can contain any information that may have been created, viewed, modified, downloaded or copied during work sessions that have occurred since the computer was last booted. Thus, if the computer has not been shut down for several days, the data stored in file slack can come from work sessions that occurred in the past.

    15. 15 RAM slack pertains only to the last sector of a file. If additional sectors are needed to round out the block size for the last cluster assigned to the file, then a different type of slack is created. It is called drive slack and it is stored in the remaining sectors which might be needed by the operating system to derive the size needed to create the last cluster assigned to the file. Unlike RAM slack, which comes from memory, drive slack is padded with what was stored on the storage device before. Such data could contain remnants of previously deleted files or data from the format pattern associated with disk storage space that has yet to be used by the computer. NTI devotes quite a bit of time to the topic of file slack in its popular 5-Day Computer Forensics Course. RAM slack pertains only to the last sector of a file. If additional sectors are needed to round out the block size for the last cluster assigned to the file, then a different type of slack is created. It is called drive slack and it is stored in the remaining sectors which might be needed by the operating system to derive the size needed to create the last cluster assigned to the file. Unlike RAM slack, which comes from memory, drive slack is padded with what was stored on the storage device before. Such data could contain remnants of previously deleted files or data from the format pattern associated with disk storage space that has yet to be used by the computer. NTI devotes quite a bit of time to the topic of file slack in its popular 5-Day Computer Forensics Course.

    16. 16 Slack Space A cluster is the smallest logical allocation unit A sector is the smallest physical allocation unit When files are deleted, both the deleted data and the data in slack space still exists When a file is wiped from the system (permanently removed), any data in the slack space still exists Wipe tool: EZ Wipe The data in the slack space will only be removed when it is overwritten, or it is explicitly removed A list of tools: Eraser, etc. It is important that you to understand the significance of file slack in computer-related investigations. Because file slack potentially contains data dumped randomly from the computer's memory, it is possible to identify network logon names, passwords and other sensitive information associated with computer usage. File slack can also be analyzed to identify prior uses of the subject computer and such legacy data can help the computer forensics investigator. File slack is not a trivial item. On large hard disk drives, file slack can involve several hundred megabytes of data. Fragments of prior E-Mail messages and word processing documents can be found in file slack. From a computer forensic standpoint, file slack is very important as both a source of computer evidence and security risks It is important that you to understand the significance of file slack in computer-related investigations. Because file slack potentially contains data dumped randomly from the computer's memory, it is possible to identify network logon names, passwords and other sensitive information associated with computer usage. File slack can also be analyzed to identify prior uses of the subject computer and such legacy data can help the computer forensics investigator. File slack is not a trivial item. On large hard disk drives, file slack can involve several hundred megabytes of data. Fragments of prior E-Mail messages and word processing documents can be found in file slack. From a computer forensic standpoint, file slack is very important as both a source of computer evidence and security risks

    17. 17 FTK Imager to Check Deleted Files File -> Add Evidence Item -> Physical Drive In class exercise Create a file Delete the file and empty recycler Use FTK imager to load the drive and check the

    18. 18 Outline More on recovering secret data FAT file system Write Delete Reformat Windows registry NTFS file system

    19. 19 The File Allocation Table (FAT) is a list of entries that map to each cluster on the partition. Each entry records one of five things: the address of the next cluster in a chain a special end of file (EOF) character that indicates the end of a chain a special character to mark a bad cluster a special character to mark a reserved cluster a zero to note that that cluster is unused A directory table is a special type of file that represents a directory (nowadays commonly known as a folder). Each file or directory stored within it is represented by a 32 byte entry in the table. Each entry records the name, extension, attributes (archive, directory, hidden, read-only, system and volume), the date and time of creation, the address of the first cluster of the file/directory's data and finally the size of the file/directory. Aside from the Root Directory Table in FAT12 and FAT16 file systems which occupies the special Root Directory Region location, all Directory Tables are stored in the Data Region.The File Allocation Table (FAT) is a list of entries that map to each cluster on the partition. Each entry records one of five things: the address of the next cluster in a chain a special end of file (EOF) character that indicates the end of a chain a special character to mark a bad cluster a special character to mark a reserved cluster a zero to note that that cluster is unused A directory table is a special type of file that represents a directory (nowadays commonly known as a folder). Each file or directory stored within it is represented by a 32 byte entry in the table. Each entry records the name, extension, attributes (archive, directory, hidden, read-only, system and volume), the date and time of creation, the address of the first cluster of the file/directory's data and finally the size of the file/directory. Aside from the Root Directory Table in FAT12 and FAT16 file systems which occupies the special Root Directory Region location, all Directory Tables are stored in the Data Region.

    20. 20 File Allocation Table (FAT) A list of entries that map to each cluster on the partition. Each entry records one of five things: the address of the next cluster in a chain a special end of file (EOF) character that indicates the end of a chain a special character to mark a bad cluster a special character to mark a reserved cluster a zero to note that that cluster is unused

    21. 21 Directory Table A special type of file that represents a directory (nowadays commonly known as a folder) Each file or directory stored within it is represented by a 32 byte entry in the table. Each entry records name, extension, attributes (archive, directory, hidden, read-only, system and volume), the date and time of creation, the address of the first cluster of the file/directory's data and finally the size of the file/directory. Aside from the Root Directory Table in FAT12 and FAT16 file systems which occupies the special Root Directory Region location, all Directory Tables are stored in the Data Region

    22. 22

    23. 23

    24. 24

    25. 25

    26. 26

    27. 27

    28. 28

    29. 29

    30. 30

    31. 31

    32. 32

    33. 33

    34. 34 Outline More on recovering secret data FAT file system Windows registry NTFS file system

    35. 35 Windows Registry What is it: A central hierarchical database to store information necessary to configure the system for one or more users, applications and hardware devices Replaces AUTOEXEC.BAT, CONFIG.SYS and INI files First introduced in Windows 3.1 for storing OLE Settings (pre 1995) View Windows Registry: regedit or Ice Sword OLE: Object Linking and Embedding OLE: Object Linking and Embedding

    36. 36 Windows Registry There are five root keys HKEY_CLASSES_ROOT (HKCR) HKEY_CURRENT_USER (HKCU) HKEY_LOCAL_MACHINE (HKLM) HKEY_USERS (HKU) HKEY_CURRENT_CONFIG (HKCC)

    37. 37 Two are “Master” keys HKEY_LOCAL_MACHINE (HKLM) Configuration data describing hardware and software installed on the computer HKEY_USERS (HKU) Configuration data for each user that logs into the computer

    38. 38 Three are derived from “Master” keys Architecture HKEY_CLASSES_ROOT File Associations and OLE HKEY_CURRENT_USER Currently logged on user HKEY_CURRENT_CONFIG Current hardware profile OLE: Abbreviation of Object Linking and Embedding, pronounced as separate letters or as oh-leh. OLE is a compound document standard developed by Microsoft Corporation. It enables you to create objects with one application and then link or embed them in a second application. Embedded objects retain their original format and links to the application that created them. OLE: Abbreviation of Object Linking and Embedding, pronounced as separate letters or as oh-leh. OLE is a compound document standard developed by Microsoft Corporation. It enables you to create objects with one application and then link or embed them in a second application. Embedded objects retain their original format and links to the application that created them.

    39. 39 HKEY_CLASSES_ROOT File Associations and OLE From HKLM\Software\Classes

    40. 40 HKEY_CURRENT_USER Currently logged on user From HKU\SID (security identifier) of current user User vs SID: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList Because Windows NT/2000/XP networks use each computer's SID (Security Identifier) and computer name to uniquely identify the computer on the network, you must change the SID and computer name on each destination (client) computer after cloning. Computers that run the Windows XP operating system use a security ID (SID) as a unique identifier. If you use disk-duplication software, you must ensure the uniqueness of these security IDs. When Windows XP is installed, a machine SID is configured to contain a statistically unique 96-bit number. The machine SID prefixes the SIDs of user accounts and group accounts that are created on the computer. The machine SID is concatenated with the relative ID (RID) of the account to create the account's unique identifier. Because Windows NT/2000/XP networks use each computer's SID (Security Identifier) and computer name to uniquely identify the computer on the network, you must change the SID and computer name on each destination (client) computer after cloning. Computers that run the Windows XP operating system use a security ID (SID) as a unique identifier. If you use disk-duplication software, you must ensure the uniqueness of these security IDs.

    41. 41 HKEY_CURRENT_CONFIG Current hardware profile From HKLM\System\CurrentControlSet\Hardware Profiles\Current

    42. 42 Windows Registry Wealth of investigative information Registered Owner Registered Organization Shutdown Time Recent DOCs Most Recent Used (MRU) List Typed URLs Previous Devices Mounted Software Installed

    43. 43 Registry Tools Registry Reader: Access Data Encase Windows Regedit Regedt32 Freeware tools Never work on the original Make a copy

    44. 44 Registry Locations See system files: file explorer -> tools -> folder options -> view Windows NT, 2000, XP, and Server 2003 The following Registry files are stored in %SystemRoot%\System32\Config\: Sam – HKEY_LOCAL_MACHINE\SAM Security – HKEY_LOCAL_MACHINE\SECURITY Software – HKEY_LOCAL_MACHINE\SOFTWARE System – HKEY_LOCAL_MACHINE\SYSTEM Default – HKEY_USERS\.DEFAULT The following files are stored in each user's profile folder: %UserProfile%\Ntuser.dat – HKEY_USERS\<User SID> %UserProfile%\Local Settings\Application Data\Microsoft\Windows\Usrclass.dat (path is localized) – HKEY_USERS\<User SID>_Classes Windows 95, 98, and Me The registry files are named User.dat and System.dat and are stored in the C:\WINDOWS\ directory. In Windows ME Classes.dat was added. Windows 3.11 The registry file is called Reg.dat and is stored in the C:\WINDOWS\ directory.

    45. 45 Outline More on recovering secret data FAT file system Windows registry NTFS file system

    46. 46 NTFS Each system component is a file - even system information The most important file on NTFS is named MFT ( Master File Table) - the common table of files Centralized directory of all remaining disk files and itself Divided into records of the fixed size (usually 1 KBytes) Each record corresponds to some file The first 16 files are housekeeping with a fixed position; and they are inaccessible to the operating system; They are named metafiles and the very first metafile is MFT itself The second copy of the first 3 records, for reliability is stored exactly in the middle of the disk The remaining MFT-file can be stored as well as any other file at any places of the disk

    47. 47 NTFS NTFS file system is a distinguished achievement of structuring: each system component is a file - even system information. The most important file on NTFS is named MFT or Master File Table - the common table of files. It is situated in MFT area and is the centralized directory of all remaining disk files and itself. MFT is divided into records of the fixed size (usually 1 KBytes), and each record corresponds to some file. The first 16 files are housekeeping and they are inaccessible to the operating system. They are named metafiles and the very first metafile is MFT itself. These first 16 elements MFT are the only part of the disk having the fixed position. It is interesting that the second copy of the first 3 records, for reliability (they are very important) is stored exactly in the middle of the disk. The remaining MFT-file can be stored as well as any other file at any places of the disk. It is possible to re-establish its position with its own help using the basis - the first MFT element. NTFS file system is a distinguished achievement of structuring: each system component is a file - even system information. The most important file on NTFS is named MFT or Master File Table - the common table of files. It is situated in MFT area and is the centralized directory of all remaining disk files and itself. MFT is divided into records of the fixed size (usually 1 KBytes), and each record corresponds to some file. The first 16 files are housekeeping and they are inaccessible to the operating system. They are named metafiles and the very first metafile is MFT itself. These first 16 elements MFT are the only part of the disk having the fixed position. It is interesting that the second copy of the first 3 records, for reliability (they are very important) is stored exactly in the middle of the disk. The remaining MFT-file can be stored as well as any other file at any places of the disk. It is possible to re-establish its position with its own help using the basis - the first MFT element.

    48. 48 BIOS Parameter Block (BPB), BIOS parameter block (BPB) is a description of the physical medium (hard disk or floppy) that might be stored in a partition's Volume Boot Record. Filesystems BIOS Parameter Block (BPB), BIOS parameter block (BPB) is a description of the physical medium (hard disk or floppy) that might be stored in a partition's Volume Boot Record. Filesystems

    49. 49

    50. 50 Storing Files in NTFS $LogFile metadata file is updated

    51. 51 Deleted File Parent directory Index entry removed $BITMAP attribute updated* MFT file record marked available MFT $BITMAP attribute Updated $Bitmap Metadata file updated if non-resident clusters Resident clusters: files can be stored within a MFT record No-resident clusters: files cannot be stored within a MFT record *If $BITMAP is being utilized due to a large directory MFT record - Data still there until overwritten *If $BITMAP is being utilized due to a large directory MFT record - Data still there until overwritten

    52. 52 Deleted File (Cont.)

    53. 53 Deleted File (Cont.) Offset 0x16 changed to 0x00Offset 0x16 changed to 0x00

    54. 54 $MFT Attribute Updated The $bitmap attribute follows suit with the MFT entries. A one represents a used entry. In the example above, the first 16 entries are in use. The next 8 are not in use and so on. Notice the 5th byte. The bytes are read from right to left; therefore, the 33rd MFT entry is in use.The $bitmap attribute follows suit with the MFT entries. A one represents a used entry. In the example above, the first 16 entries are in use. The next 8 are not in use and so on. Notice the 5th byte. The bytes are read from right to left; therefore, the 33rd MFT entry is in use.

    55. 55 File Deleted The volume $Bitmap is updated to reflect the clusters are available ***note the MFT $bitmap attribute is also updated to reflect the MFT record entry is available.The volume $Bitmap is updated to reflect the clusters are available ***note the MFT $bitmap attribute is also updated to reflect the MFT record entry is available.

    56. 56 Recovering Deleted Files Software Tools FTK Toolkits GetDataback (Runtime) R-studio CIA Unerase Etc List tested tools here with web site info List tested tools here with web site info

    57. 57 Deleted vs “Recycled” Deleted or “Recycled” Sent to Recycle Bin Deleted from the Recycle Bin Deleted bypassing the Recycle Bin – shift+del

    58. 58 Win2K/XP Recycle Bin “Recycler” Folder for NTFS Configure to see hidden and system files from explorer SID named subdirectory contains: INFO2 Desktop.ini Place holder(s) Use FTK Imager to load the Recycler folder for view Drop the NT4 references (INFO) just put that info into notes…. INFO for NT4, The NT Recycle Bin is very Similar to the WIN9X / ME Recycle Bin. When an object is sent to the recycle bin, the MFT record for the deleted object is simply changed. The $Filename attribute is changed to: - Change the filename to the placeholder name that appears in the recycle bin (placeholder format: D + drive letter + #) - Change the record number of the parent directory from the old parent directory, to the sid-named directory in the recycler directory. In the original PARENT DIRECTORY for that object, the index entry is removed (the data in that index entry may or may not actually get overwritten depending on a number of factors). Placeholder numbering starts at 0 for NT4 (INFO), and at 1 for W2K (INFO2). For every recycled object, an 800 byte entry is made in the INFO / INFO2 file. Restore/Delete from Bin/Empty Bin Operation varies slightly between the INFO and INFO2 file In NT4 (INFO), the index entry for the deleted file or directory is marked available in the parent directory’s MFT record when it is sent to the BIN. Object restored: The placeholder is renamed back to it’s original name, and pointed at it’s original parent directory. Index entry created in parent directory. Index entry in sid-named directory removed. INFO entry is removed, INFO resized. Object deleted: Placeholder MFT record marked deleted. INFO entry removed, INFO resized. $Bitmap meta file updated to reflect any non-resident clusters available. Recycle Bin emptied: INFO and placeholders deleted, desktop.ini re-written INFO2:Same as above except: Object deleted from Bin: Same as INFO except INFO2 not resized. Object restored: Same as INFO except INFO2 not resized Recycle Bin emptied: Same as INFO except INFO2 is RE-WRITTEN to20 bytes instead of deleted. Because it is re-written, RAM slack will overwrite some of the data The 800 byte entries in INFO and INFO2 are all non-resident. Drop the NT4 references (INFO) just put that info into notes…. INFO for NT4, The NT Recycle Bin is very Similar to the WIN9X / ME Recycle Bin. When an object is sent to the recycle bin, the MFT record for the deleted object is simply changed. The $Filename attribute is changed to: - Change the filename to the placeholder name that appears in the recycle bin (placeholder format: D + drive letter + #) - Change the record number of the parent directory from the old parent directory, to the sid-named directory in the recycler directory. In the original PARENT DIRECTORY for that object, the index entry is removed (the data in that index entry may or may not actually get overwritten depending on a number of factors). Placeholder numbering starts at 0 for NT4 (INFO), and at 1 for W2K (INFO2). For every recycled object, an 800 byte entry is made in the INFO / INFO2 file. Restore/Delete from Bin/Empty Bin Operation varies slightly between the INFO and INFO2 file In NT4 (INFO), the index entry for the deleted file or directory is marked available in the parent directory’s MFT record when it is sent to the BIN. Object restored: The placeholder is renamed back to it’s original name, and pointed at it’s original parent directory. Index entry created in parent directory. Index entry in sid-named directory removed. INFO entry is removed, INFO resized. Object deleted: Placeholder MFT record marked deleted. INFO entry removed, INFO resized. $Bitmap meta file updated to reflect any non-resident clusters available. Recycle Bin emptied: INFO and placeholders deleted, desktop.ini re-written INFO2:Same as above except: Object deleted from Bin: Same as INFO except INFO2 not resized. Object restored: Same as INFO except INFO2 not resized Recycle Bin emptied: Same as INFO except INFO2 is RE-WRITTEN to20 bytes instead of deleted. Because it is re-written, RAM slack will overwrite some of the data The 800 byte entries in INFO and INFO2 are all non-resident.

    59. 59 NTFS Recycle Bin Called “recycled” in FAT32 partition No SID folders in FAT32 Partition Called “recycled” in FAT32 partition No SID folders in FAT32 Partition

    60. 60 Placeholder(s) Entry for each deleted item: Hidden from view in GUI environment Date & time unchanged from original file If a subdirectory is deleted only one placeholder is made * *

    61. 61 Placeholder(s) D<original drive letter><#>.<original extension> DC1.TXT DC2.JPG DC3.BMP Number system begins at boot up – based on the highest number currently in the info2 file. The numbering system resets to one when the recycle bin is emptied and after reboot. For every deleted file, a “placeholder” is created in the recycled folder. Each placeholder actually IS the “deleted” file, hidden and renamed. The naming convention keeps the original extension (if present), the first character of the filename becomes “D”, the second character becomes the letter of the drive that the file was deleted from, followed by a sequential number (beginning with ‘1’). For example, the first file deleted from the C: drive (TEST1.TXT) would become: DC1.TXT Subsequent deleted files from the C: drive would become DC2, DC3 etc with the same extension as the original file prior to deletion. Number system begins at boot up – based on the highest number currently in the info2 file. The numbering system resets to one when the recycle bin is emptied and after reboot. For every deleted file, a “placeholder” is created in the recycled folder. Each placeholder actually IS the “deleted” file, hidden and renamed. The naming convention keeps the original extension (if present), the first character of the filename becomes “D”, the second character becomes the letter of the drive that the file was deleted from, followed by a sequential number (beginning with ‘1’). For example, the first file deleted from the C: drive (TEST1.TXT) would become: DC1.TXT Subsequent deleted files from the C: drive would become DC2, DC3 etc with the same extension as the original file prior to deletion.

    62. 62 INFO2 File 800 Byte Entry is made for each Recycled object Recycled date Original path and filename Place holder drive letter and # The Recycler folder is rewritten to 20 Bytes when the recycle bin is emptied. The first 20 Bytes is the header of the INFO2 File. Each entry is 800 bytes in length. Bytes Length Description 00 – 19 20 Bytes long INFO2 File Header Structure of INFO2 entries: Bytes          Length     Description 00 – 258      Variable       Char Path and File Name 259 Unknown – Testing has not produced any values other than 00h 260 – 263    4 bytes Long    Index Number 264 – 267    4 bytes Long    Drive Letter (In Numeric starting with A = 0, B = 1, etc) 268 – 275    8 bytes Date/Time - Date of Deletion – in GMT 276 – 279 4 Bytes Unknown 280 – 797 Unicode char path and file name 798 – 799 Unknown – Testing has not produced any values other than 00h. NOTE: When an INFO (Windows NT) file is used, only FILES are sent to the BIN. If a subdirectory is deleted, an entry is made for each file that was in the subdirectory, containing the full path information necessary to rebuild it. The subdirectory itself is not protected in this case. When an INFO2 file is used, and a subdirectory is deleted, only a single entry is made for the subdirectory. The Recycler folder is rewritten to 20 Bytes when the recycle bin is emptied. The first 20 Bytes is the header of the INFO2 File. Each entry is 800 bytes in length. Bytes Length Description 00 – 19 20 Bytes long INFO2 File Header Structure of INFO2 entries: Bytes          Length     Description 00 – 258      Variable       Char Path and File Name 259 Unknown – Testing has not produced any values other than 00h 260 – 263    4 bytes Long    Index Number 264 – 267    4 bytes Long    Drive Letter (In Numeric starting with A = 0, B = 1, etc) 268 – 275    8 bytes Date/Time - Date of Deletion – in GMT 276 – 279 4 Bytes Unknown 280 – 797 Unicode char path and file name 798 – 799 Unknown – Testing has not produced any values other than 00h. NOTE: When an INFO (Windows NT) file is used, only FILES are sent to the BIN. If a subdirectory is deleted, an entry is made for each file that was in the subdirectory, containing the full path information necessary to rebuild it. The subdirectory itself is not protected in this case. When an INFO2 file is used, and a subdirectory is deleted, only a single entry is made for the subdirectory.

    63. 63 INFO2 File (Cont.)

    64. 64 Recycled date and time issue Windows saves time stamps in “FILETIME” format. FILETIME format is the number of ticks, in 100ns increments, since 00:00 1 Jan, 1601 (UTC). Recycle Bin tools (X-Ways Trace, IEHistory, Datalifter) will convert the time for you Date / Time bin was last emptied could be relevant to an investigation Need to ensure the tool your using is reporting back an accurate date. For Example. The suspect’s computer is set to Pacific Standard Time (-8 GMT). The system clock read 1300. The info2 file converts that time to GMT. The time is stored in Hex as 2100. Your forensic Machine is set to Eastern Standard Time (-5 GMT). You extract the Info2 file and process it with IEHistory. IE history converts the GMT time to EST. The result is 1800. Three hours different from the actual time the file was recycled. Therefore, Ensure your forensic machine is set to the same time zone as the suspects machine. This info can be located in the susp[ect’s registry here: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation Date / Time bin was last emptied could be relevant to an investigation Need to ensure the tool your using is reporting back an accurate date. For Example. The suspect’s computer is set to Pacific Standard Time (-8 GMT). The system clock read 1300. The info2 file converts that time to GMT. The time is stored in Hex as 2100. Your forensic Machine is set to Eastern Standard Time (-5 GMT). You extract the Info2 file and process it with IEHistory. IE history converts the GMT time to EST. The result is 1800. Three hours different from the actual time the file was recycled. Therefore, Ensure your forensic machine is set to the same time zone as the suspects machine. This info can be located in the susp[ect’s registry here: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation

    65. 65 Desktop.ini A folder configuration file Created when Recycle Bin is created Only modified if recycle bin is EMPTIED All Date / Time information updated when bin is emptied

    66. 66 Recovering From Recycle Bin When an object is sent to the recycle bin, the MFT record for the deleted object is simply changed. The $Filename attribute is changed to: Change the filename to the placeholder name that appears in the recycle bin (placeholder format: D + drive letter + #) Change the record number of the parent directory from the old parent directory, to the sid-named directory in the recycler directory. Copy placeholders to separate drive Copy INFO2 file; use utility to parse out date / time data X-Ways Trace - http://www.x-ways.net/trace/index-m.html Datalifter IE History

    67. 67 Summary Deleting and formatting on a Hard Drive does not touch the data area Often evidence can be found in deleted files, and the recycle bin System clocks and default timezone settings are very important

    68. 68 Review What happens to deleted FAT files What about formatting? What happens to deleted NTFS files? Recovering deleted files

    69. 69 References Nathan Heald, http://dos.rsvs.net/DOSPAGE/DEBUG.HTM, 2008 IronGeek, ALT+NUMPAD ASCII Key Combos: The a and O of Creating Obscure Passwords, 2007 Description of the Microsoft Windows registry, http://support.microsoft.com/kb/256986/EN-US/, August 12, 2005 Dmitrey Mikhailov, NTFS file system, http://www.digit-life.com/articles/ntfs/, 2004 NTFS - New Technology File System designed for Windows NT, 2000, XP, http://www.ntfs.com/, 2005 Brian Mork, Destroying Data on Magnetic Disks - Linux or Windows, 2005 How the Recycle Bin Stores Files, http://support.microsoft.com/kb/136517/en-us, December 16, 2004 The Mysterious Recycle Bin, http://www.infocellar.com/winxp/Recycle-Bin.htm, 2006 Anders Svensson, Computer Forensics Applied to Windows NTFS Systems, http://www.dsv.su.se/research/seclab/pages/pdf-files/2005-x-268.pdf, April 2005 Keith J. Jones, Forensic Analysis of Microsoft Windows Recycle Bin Records, http://www.e-fense.com/helix/Docs/Recycler_Bin_Record_Reconstruction.pdf, 5/6/03

More Related