Recycle.Bin Timesta...
 
Notifications
Clear all

Recycle.Bin Timestamp

3 Posts
3 Users
0 Likes
2,561 Views
(@ted_tk)
Posts: 1
New Member
Topic starter
 

Dear all,

I'm investigation with EnCase (Ver.7), but I am confused about the date and time (time stamp) of Recycle.Bin data in Windows 7.

I thought that "File Created" of Recycle.Bin data is the date and time the data was deleted to Recycle.Bin, and "Last Written" is the date and time before the data was deleted.
Therefore, it was my understanding that "File Created" of Recycle.Bin data should have an newer date and time than "Last Written".
But, the date and time of "Last Written" displayed in the EnCase table pane is newer than "File Created".

Please tell me the reason why such date and time are displayed on "File Created" and "Last Written" in this case.

Thanks

 
Posted : 26/10/2018 2:55 pm
(@jerryw)
Posts: 56
Trusted Member
 

I have always found Encase a bit over helpful for this task. If you weren't already aware there are actually two files involved with each file in the Recycle Bin, one with the file name and metadata and the other the actual content of the file, they are named $I and $R and have otherwise matching file names (not that of the original deleted file).

Encase helpfully resolves them together, showing the original file name, but I found it more helpful to use something like FTK Imager where the $I and $R are both shown as separate entities. By seeing when the $I was created it would help determine when the file entered the Recycle Bin. That was my reasoning and seemed to make sense.

There are many good sources with more detail and no doubt more reliability, but hope it might help.

 
Posted : 26/10/2018 3:32 pm
(@hommy0)
Posts: 98
Trusted Member
 

EnCase shows both the $I and $R files in relation to the Recycle Bin, it uses the content of the $I to resolve the original filename and presents that as the File Name.
If however the "Short Name" column is reviewed, this will show the $R name (which will correlate with the $I).

When it comes to times and dates, and the operation that has taken place. When a user decides to place something in the Recycle Bin, it is simply a move operation from the original folder to the users Recycle.Bin folder. As such the File Created time and date stamp will not be updated.

If you are looking for the deleted time and date, this is encoded in the $I file - which EnCase's Windows Artifact parser (in the evidence processor) can decode. Alternativley (as already mentioned) the Created Date of the $I should also reflect when the original file was moved to the Recycle Bin (due to the fact that the $I is created at the point of "deletion")

You could also examine the $USNJRNL which may have records that show when the file's move had taken place to the Recycle.Bin

Regards

 
Posted : 29/10/2018 9:45 am
Share: