strange recycle bin...
 
Notifications
Clear all

strange recycle bin phenomena

22 Posts
9 Users
0 Likes
2,437 Views
(@lasvegascop)
Posts: 98
Trusted Member
Topic starter
 

I have a situation where the head of the household (dad) was arrested for possession of child porn due to P2P downloads.
Dad lives in a house with several other adults including his adult child and a child under 18.
Everyone in the house uses the same computer.
Dad is adamant that he did not download, view or possess in any way any CP.

Dad did state that he is constantly monitoring his kids usage and checking the computer after his children use it and always checks the recycle bin for deleted files and always empties it, but has never noticed any CP.

Dad appears not to be very computer savvy.

THe computer was seized by LE and an image (E01s) were created with FTK.
The investigating detective discovered CP in the recycle bin with many other files as well as the shared folder of the P2P program.

I looked at the images and I verified that the recycler did appear to contain many CP files.

It appeared to me that the recycle bin had not been emptied in a long time and it contained gigs of files including CP.

The client (Dad) then advised me that he knows that he had emptied the recycle bin prior to the day of seizure.

We then went back to ICAC and mounted and booted the E01s to view the image as a running computer as the computer operator would have seen it.

THe recycle bin shows empty in the virtual mounted images just as the client stated it should be.

What could cause the FTK report to show files in the recycler when the booted image shows a empty recycle bin?

I will need to go back to ICAC and view the images again soon hopefully with some ideas from the group.

Since these images contain CP I have to go to the ICAC off site office to do any viewing of the computer and I am limited as to what I can take from there.

THis is a Vista OS.

FYI, my goal here is not to get any viewer, possessor, or downloader of CP set free, it is to make sure the right person pays for the crime and an innocent man does not go to prison.

Larry

 
Posted : 02/03/2015 9:20 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Larry,

Which version of Windows are you analyzing?

How many user accounts are on the system?

Do all users access a single account? If the answer is "yes", then do the files appear in FTK with a red X?

 
Posted : 02/03/2015 9:47 pm
(@bert_uk)
Posts: 11
Active Member
 

Which SID are the files in the Recycle Bin stored under? e.g. you and the father may be logging in with the "User 1" account. The Recycle Bin associated with this SID is empty. However, has someone logged in using "User 2" or the "Administrator" account and dumped things in the Recycle Bin and never emptied them?

It might be an old historic user account & SID that is no longer available but artefacts have been left behind.

Are the files actually live or are they showing as deleted in the forensic software?

 
Posted : 02/03/2015 9:55 pm
(@lasvegascop)
Posts: 98
Trusted Member
Topic starter
 

Thanks,

Its a Vista computer.
only one user account.
All users use this one account.
When I go back to ICAC later this week, I will double check to see if they are actually deleted with the red X.
THey are in the recycle bin directory path but when viewing through Windows the recycle bin shows empty (/$Recycle.bin…SID)
I have it in my notes to obtain and compare SIDs. The user SID is 1001.

Larry

 
Posted : 02/03/2015 11:30 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Just an idea, but maybe you could try seeing what Rifiuti2 "sees"
http//code.google.com/p/rifiuti2/
see also
http//www.forensicfocus.com/Forums/viewtopic/t=6178/

jaclaz

 
Posted : 02/03/2015 11:50 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Its a Vista computer.
only one user account.
All users use this one account.

Good info, thanks.

When I go back to ICAC later this week, I will double check to see if they are actually deleted with the red X.
THey are in the recycle bin directory path but when viewing through Windows the recycle bin shows empty (/$Recycle.bin…SID)

Check for the red X, and also check the properties, to see if the files are marked "hidden".

I have it in my notes to obtain and compare SIDs. The user SID is 1001

I'm not clear on why you have to do that if there is only one account on the system…

 
Posted : 02/03/2015 11:51 pm
(@lasvegascop)
Posts: 98
Trusted Member
Topic starter
 

Just an idea, but maybe you could try seeing what Rifiuti2 "sees"
http//code.google.com/p/rifiuti2/

jaclaz

Windows Vista and later no longer uses the INFO2 file.
Instead it uses the /$Recycle.bin older

 
Posted : 03/03/2015 12:22 am
(@lasvegascop)
Posts: 98
Trusted Member
Topic starter
 

I have it in my notes to obtain and compare SIDs. The user SID is 1001

I'm not clear on why you have to do that if there is only one account on the system…

Even though it's a single user, there is still the Admin account. Besides, that will be easy to see and compare. Just one less question in my head.. lol

 
Posted : 03/03/2015 12:25 am
(@lasvegascop)
Posts: 98
Trusted Member
Topic starter
 

Jaclaz, thanks for th elink to www.forensicfocus.com/...ic/t=6178/
I will check it out later.

 
Posted : 03/03/2015 12:27 am
(@lasvegascop)
Posts: 98
Trusted Member
Topic starter
 

Possibility…

Since VISTA uses the /$Recycle.bin folder I am pretty certain that it is an "invisible" folder.
Therefore it may not be visible to the user when they look into the recycle bin from the desktop.

FOrensic software like FTK would be able to see it though

I will have to find me a VIsta computer and research and test this..

LArry

 
Posted : 03/03/2015 12:31 am
Page 1 / 3
Share: