±Forensic Focus Partners

Become an advertising partner

±Your Account


Forgotten password/username?

Site Members:

New Today: 1 Overall: 36750
New Yesterday: 4 Visitors: 204

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

SyncToy v2.1

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts

Senior Member

SyncToy v2.1

Post Posted: Oct 16, 14 00:51

Hi all,

Does anyone have a solution to parse SyncToy (Microsofts free syncing tool) .DAT files? A sync process was carried out by the owner of a laptop and shortly afterwards some of the source data was wiped. The other medium in the sync is not available.

However, there are two 30MB DAT files present in the SyncToy folder that under a quick examination appear to contain lots of full path listings of files amongst other hex data. It would be good to parse these to adjudge what was potentially copied.

Many thanks


Senior Member

Re: SyncToy v2.1

Post Posted: Oct 19, 14 21:07

Since my posting I've had success parsing these files (albeit only manually) and each file synched comes with it's creation time (source disk), last modification (source disk), file size and filename (plus some other data that I've not worked out yet). I'm working on an EnScript to parse these but if any one wants more information whilst searching this thread in the future please PM me.



Re: SyncToy v2.1

Post Posted: Aug 25, 16 16:25

I am facing the same situation as you were, i have all the large .dat files that SyncToy stores and they are teasing me with the small amount of human readable content which clearly shows a listing of the directories and files that were transferred.

I've done some work using the Sysinternals "strings" tool and NotePad++ which has yielded some more human readable content but i'm still not able to retrieve the really useful information like creation time, file size, etc.

If you have any information regarding the success you had parsing the files which could help me i'd really appreciate it.



Senior Member

Re: SyncToy v2.1

Post Posted: Aug 26, 16 15:44

A very interesting topic. Smile

Well above my head/out of my league, unfortunately. Sad

I had a look around and found this:

It seems like all (or most) of the parsing functions for .bin and .dat files are there (to allow importing data from SyncToy or more generally Sync Framework).

The actual site is no more:

and the tool is not cached in Wayback Machine:

Maybe from the above source someone might create a parser.

Possibly there is something in the Sync Framework SDK 2.1, also, but cannot say:

It seems like the good MS guys provide the libarries/API's/whatever but do not actually document the file formats.

- In theory there is no difference between theory and practice, but in practice there is. - 

Page 1 of 1