Recycle bin W10 NTF...
 
Notifications
Clear all

Recycle bin W10 NTFS file system

8 Posts
3 Users
0 Likes
1,696 Views
(@fissa)
Posts: 27
Eminent Member
Topic starter
 

Hi all,

First of all i want to say hi, being new on this forum. Im new into the digital forensic world, but very interested and learning by the day.

At this moment i am trying to understand the recycle bin on w10. I think im getting the big picture, but there are still some things unclear.

FAT
I deleted a file on FAT32 system. The file itself gets transferred to the recycle bin as $I (metadata) and $R (the file itself).
Is the $R a copy of the file in another directory (the bin)?
Or does FAT create a new directory entry, renaming the original file, but using the original cluster where the file was placed. (so not making an extra copy) (At this stage, the FAT1/2 still allocates the cluster as 'occupied'?

When researching the disk with forensic software as FTK of Encase, the original Path where the file was deleted from shows as 'deleted' but also overwritten file.
Is this because there are two Direntrys pointing to the same cluster? (the bin and original)?

NTFS
ON NTFS it gets a bit more complicated for me.
Doing the same thing, FTK or Encase doesnt show a deleted and overwritten file in the original path. Why is this?
The www doesnt give me the exact answer.

Does W10 create a new entry in the MFT regarding the deleted file and deleted the original one?
Does W10 adjust the orginal MFT-entry 'moving' it to the reycle bin. There is not a second entry so thats why FTK or Encase shows no deletion/overwritten status?

I hope someone knows the answer. I hope my explanation is fully.

Kind regards,
Fissa.

 
Posted : 25/04/2019 11:14 am
(@fissa)
Posts: 27
Eminent Member
Topic starter
 

Re-reading my question, makes me see that the real question is
What happends in the $MFT after deleting a file to the recycle bin
&
What happends in the $MFT after deleting it skipping the recycle bin (shift + delete)

 
Posted : 25/04/2019 11:45 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

If I may, it seems to me like your questions mix together three very different aspects
1) what actually happens (on disk)
2) what the normal, default Windows (10 in this case) show through some user accessible/viewable representation about what happened or if you prefer how the OS attempts to represent what happened
3) How this (or that) forensic tool attempts to represent what happened

FAT tables, directory and file entries (and the $MFT and other metadata) are "on disk" and "belong" to the filesystem.
The RecycledBin is an OS "artifact" or "feature" and it is multi-disk/volume and "user centered".
The way this (or that) forensic tool represents (or fails to represent) the *whatever* data they extract by a number of different sources and reassemble in a "hyman readable" form is yet another "level of abstraction" (and it is very specific to the specific software at hand).

More to the last questions, I believe that nothing of very little has changed since 7 or 8 times (which also changed very little since 2000 or XP times), see here
http//kcall.co.uk/ntfs/index.html

jaclaz

P.S. on Vista and later (not mentioned in the above link) there is the addition of the $UsrJrnl, and some effects/records can be found in $LogFile too

You could explore the NTFS related nice tools by Joakim Schicht
https://github.com/jschicht?tab=repositories
and use them to make a few experiments.

 
Posted : 25/04/2019 1:20 pm
(@thefuf)
Posts: 262
Reputable Member
 

A simple test.

"Deleting" a file using a trash bin

LSN 8409711
Transaction ID 24
Log record, redo operation DeleteIndexEntryAllocation, undo operation AddIndexEntryAllocation
Target (file reference number) 1407374883553285
Target (attribute name) $I30
Target path (from $MFT) /.
Offset in tagret 1512
LCN(s) 36
Redo data
-

Undo data
00000000 2B 00 00 00 00 00 01 00-70 00 5E 00 00 00 00 00 +.......p.^.....
00000010 05 00 00 00 00 00 05 00-90 8C E0 ED 59 FB D4 01 ............Y...
00000020 C8 1B D9 F0 59 FB D4 01-02 AD D1 0B 5A FB D4 01 ....Y.......Z...
00000030 C8 1B D9 F0 59 FB D4 01-00 10 00 00 00 00 00 00 ....Y...........
00000040 C4 05 00 00 00 00 00 00-20 00 00 00 00 00 00 00 ........ .......
00000050 0E 00 74 00 65 00 73 00-74 00 5F 00 74 00 72 00 ..t.e.s.t._.t.r.
00000060 61 00 73 00 68 00 2E 00-74 00 78 00 74 00 5F 00 a.s.h...t.x.t._.

$FILE_NAME in index
* M timestamp 2019-04-25 112801.200840
* A timestamp 2019-04-25 112801.200840
* C timestamp 2019-04-25 112756.216436
* E timestamp 2019-04-25 112846.450612
* File name test_trash.txt
* Parent (file reference number) 1407374883553285
* Parent path (from $MFT) /.

---

LSN 8409736
Transaction ID 24
Log record, redo operation DeleteAttribute, undo operation CreateAttribute
Target (file number) 43
Target path (from $MFT, likely wrong if the file was deleted later) /$RECYCLE.BIN/S-1-5-21-2377372389-1005799904-752891294-1001/$RK479CW.txt
Offset in tagret 152
LCN(s) 262154
Redo data
-

Undo data
00000000 30 00 00 00 78 00 00 00-00 00 00 00 00 00 03 00 0...x...........
00000010 5E 00 00 00 18 00 01 00-05 00 00 00 00 00 05 00 ^...............
00000020 90 8C E0 ED 59 FB D4 01-90 8C E0 ED 59 FB D4 01 ....Y.......Y...
00000030 90 8C E0 ED 59 FB D4 01-90 8C E0 ED 59 FB D4 01 ....Y.......Y...
00000040 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00000050 20 00 00 00 00 00 00 00-0E 00 74 00 65 00 73 00 .........t.e.s.
00000060 74 00 5F 00 74 00 72 00-61 00 73 00 68 00 2E 00 t._.t.r.a.s.h...
00000070 74 00 78 00 74 00 00 00 t.x.t...

$FILE_NAME
* M timestamp 2019-04-25 112756.216436
* A timestamp 2019-04-25 112756.216436
* C timestamp 2019-04-25 112756.216436
* E timestamp 2019-04-25 112756.216436
* File name test_trash.txt
* Parent (file reference number) 1407374883553285
* Parent path (from $MFT) /.

---

LSN 8409762
Transaction ID 24
Log record, redo operation CreateAttribute, undo operation DeleteAttribute
Target (file number) 43
Target path (from $MFT, likely wrong if the file was deleted later) /$RECYCLE.BIN/S-1-5-21-2377372389-1005799904-752891294-1001/$RK479CW.txt
Offset in tagret 152
LCN(s) 262154
Redo data
00000000 30 00 00 00 78 00 00 00-00 00 00 00 00 00 06 00 0...x...........
00000010 5A 00 00 00 18 00 01 00-29 00 00 00 00 00 01 00 Z.......).......
00000020 90 8C E0 ED 59 FB D4 01-C8 1B D9 F0 59 FB D4 01 ....Y.......Y...
00000030 02 AD D1 0B 5A FB D4 01-C8 1B D9 F0 59 FB D4 01 ....Z.......Y...
00000040 00 10 00 00 00 00 00 00-C4 05 00 00 00 00 00 00 ................
00000050 20 00 00 00 00 00 00 00-0C 00 24 00 52 00 4B 00 .........$.R.K.
00000060 34 00 37 00 39 00 43 00-57 00 2E 00 74 00 78 00 4.7.9.C.W...t.x.
00000070 74 00 00 00 00 00 00 00 t.......

Undo data
-

$FILE_NAME
* M timestamp 2019-04-25 112801.200840
* A timestamp 2019-04-25 112801.200840
* C timestamp 2019-04-25 112756.216436
* E timestamp 2019-04-25 112846.450612
* File name $RK479CW.txt
* Parent (file reference number) 281474976710697
* Parent path (from $MFT) /$RECYCLE.BIN/S-1-5-21-2377372389-1005799904-752891294-1001

---

LSN 8409788
Transaction ID 24
Log record, redo operation AddIndexEntryRoot, undo operation DeleteIndexEntryRoot
Target (file number) 41
Target path (from $MFT, likely wrong if the file was deleted later) /$RECYCLE.BIN/S-1-5-21-2377372389-1005799904-752891294-1001
Offset in tagret 512
LCN(s) 262154
Redo data
00000000 2B 00 00 00 00 00 01 00-70 00 5A 00 00 00 00 00 +.......p.Z.....
00000010 29 00 00 00 00 00 01 00-90 8C E0 ED 59 FB D4 01 )...........Y...
00000020 C8 1B D9 F0 59 FB D4 01-02 AD D1 0B 5A FB D4 01 ....Y.......Z...
00000030 C8 1B D9 F0 59 FB D4 01-00 10 00 00 00 00 00 00 ....Y...........
00000040 C4 05 00 00 00 00 00 00-20 00 00 00 00 00 00 00 ........ .......
00000050 0C 00 24 00 52 00 4B 00-34 00 37 00 39 00 43 00 ..$.R.K.4.7.9.C.
00000060 57 00 2E 00 74 00 78 00-74 00 00 00 00 00 00 00 W...t.x.t.......

Undo data
-

$FILE_NAME in index
* M timestamp 2019-04-25 112801.200840
* A timestamp 2019-04-25 112801.200840
* C timestamp 2019-04-25 112756.216436
* E timestamp 2019-04-25 112846.450612
* File name $RK479CW.txt
* Parent (file reference number) 281474976710697
* Parent path (from $MFT) /$RECYCLE.BIN/S-1-5-21-2377372389-1005799904-752891294-1001

---

LSN 8409813
Transaction ID 24
Log record, redo operation ForgetTransaction, undo operation CompensationLogRecord
Unknown target, target attribute 24
Unknown offset in target
Redo data
-

Undo data
-

Now, let's empty a trash bin

LSN 8410323
Transaction ID 24
Log record, redo operation ClearBitsInNonresidentBitMap, undo operation SetBitsInNonresidentBitMap
Target (file reference number) 1688849860263942
Target (attribute name)
Target path (from $MFT) /$Bitmap
Offset in tagret 0
LCN(s) 262111
Redo data
00000000 8A 0D 00 00 01 00 00 00 ........

Undo data
00000000 8A 0D 00 00 01 00 00 00 ........

---

LSN 8410335
Transaction ID 24
Log record, redo operation DeleteIndexEntryRoot, undo operation AddIndexEntryRoot
Target (file number) 41
Target path (from $MFT, likely wrong if the file was deleted later) /$RECYCLE.BIN/S-1-5-21-2377372389-1005799904-752891294-1001
Offset in tagret 512
LCN(s) 262154
Redo data
-

Undo data
00000000 2B 00 00 00 00 00 01 00-70 00 5A 00 00 00 00 00 +.......p.Z.....
00000010 29 00 00 00 00 00 01 00-90 8C E0 ED 59 FB D4 01 )...........Y...
00000020 C8 1B D9 F0 59 FB D4 01-05 97 9D 28 5A FB D4 01 ....Y......(Z...
00000030 C8 1B D9 F0 59 FB D4 01-00 10 00 00 00 00 00 00 ....Y...........
00000040 C4 05 00 00 00 00 00 00-20 00 00 00 00 00 00 00 ........ .......
00000050 0C 00 24 00 52 00 4B 00-34 00 37 00 39 00 43 00 ..$.R.K.4.7.9.C.
00000060 57 00 2E 00 74 00 78 00-74 00 00 00 00 00 00 00 W...t.x.t.......

$FILE_NAME in index
* M timestamp 2019-04-25 112801.200840
* A timestamp 2019-04-25 112801.200840
* C timestamp 2019-04-25 112756.216436
* E timestamp 2019-04-25 112934.763188
* File name $RK479CW.txt
* Parent (file reference number) 281474976710697
* Parent path (from $MFT) /$RECYCLE.BIN/S-1-5-21-2377372389-1005799904-752891294-1001

---

LSN 8410360
Transaction ID 24
Log record, redo operation DeleteIndexEntryRoot, undo operation AddIndexEntryRoot
Target (file number) 25
Target path (from $MFT, likely wrong if the file was deleted later) /$Extend/$ObjId
Offset in tagret 408
LCN(s) 262150
Redo data
-

Undo data
00000000 20 00 38 00 00 00 00 00-58 00 10 00 00 00 00 00 .8.....X.......
00000010 0E 05 49 C2 4C 67 E9 11-8F CB 52 54 00 12 34 56 ..I.Lg....RT..4V
00000020 2B 00 00 00 00 00 01 00-00 00 00 00 00 00 00 00 +...............
00000030 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00000040 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00000050 00 00 00 00 00 00 00 00 ........

---

LSN 8410382
Transaction ID 24
Log record, redo operation DeallocateFileRecordSegment, undo operation InitializeFileRecordSegment
Target (file number) 43
Target path (from $MFT, likely wrong if the file was deleted later) /$RECYCLE.BIN/S-1-5-21-2377372389-1005799904-752891294-1001/$RK479CW.txt
Offset in tagret 0
LCN(s) 262154
Redo data
-

Undo data
00000000 46 49 4C 45 30 00 03 00-4F 54 80 00 00 00 00 00 FILE0...OT......
00000010 01 00 01 00 38 00 01 00 ....8...

---

LSN 8410396
Transaction ID 24
Log record, redo operation ClearBitsInNonresidentBitMap, undo operation SetBitsInNonresidentBitMap
Target (file reference number) 281474976710656
Target (attribute name)
Target path (from $MFT) /$MFT
Offset in tagret 0
LCN(s) 262143
Redo data
00000000 2B 00 00 00 01 00 00 00 +.......

Undo data
00000000 2B 00 00 00 01 00 00 00 +.......

---

LSN 8410408
Transaction ID 24
Log record, redo operation ForgetTransaction, undo operation CompensationLogRecord
Unknown target, target attribute 24
Unknown offset in target
Redo data
-

Undo data
-

So, a file is renamed (moved) when "deleted" to a trash bin.

Doing the same thing, FTK or Encase doesnt show a deleted and overwritten file in the original path. Why is this?

An original path can be shown if an index entry (not to be confused with an $MFT entry) isn't overwritten.

 
Posted : 25/04/2019 2:01 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

A simple test.

Simple ) , but not simply repeatable ( unless you describe what tools/commands you used to obtain the posted output.

jaclaz

 
Posted : 25/04/2019 3:12 pm
(@thefuf)
Posts: 262
Reputable Member
 

A simple test.

Simple ) , but not simply repeatable ( unless you describe what tools/commands you used to obtain the posted output.

jaclaz

A drive with an NTFS file system + dfir_ntfs. The output is from the $LogFile journal.

 
Posted : 25/04/2019 3:18 pm
(@fissa)
Posts: 27
Eminent Member
Topic starter
 

Thanks Jaclaz and Thefuf for your efforts.

The link kcall.co.uk/ntfs/index.html was very usefull. I think i get it now, approaching the deletion and the recycle bin as two separate 'things'.
So if i delete a file on NTFS it also gets flagged as deleted, just like FAT flaggs his deleted files.
But when the recyclerbin comes into the game it changes a bit The file still gets flagged as deleted, but i also gets renamed in the MFT to the name the recycler gives it (starting with $R in W10). The OS keeps the deleted file as a live file and doesnt unallocate the cluster in the BITMAP free for use, so it cant be overwritten. This takes in place when you delete the file from the recycler.

Doing the same thing, FTK or Encase doesnt show a deleted and overwritten file in the original path. Why is this?

An original path can be shown if an index entry (not to be confused with an $MFT entry) isn't overwritten.

How must i interpretate this? I am indeed confused with the $MFT entry right now…

With kind regards.

 
Posted : 26/04/2019 5:58 am
(@thefuf)
Posts: 262
Reputable Member
 

How must i interpretate this? I am indeed confused with the $MFT entry right now…

Not all file system metadata is stored in the $MFT file. Contents of a directory (as a tree of $FILE_NAME attributes) are stored as entries in an index record. Some index records are nonresident (stored outside of the $MFT file). When a file is deleted, a corresponding entry in an index record is deleted too. However, it's not always overwritten. So, you can recover a $FILE_NAME attribute of a deleted file.

 
Posted : 26/04/2019 9:37 am
Share: