±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35503
New Yesterday: 0 Visitors: 109

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

Recycle bin W10 NTFS file system

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2  Next 
  

fissa
Newbie
 

Recycle bin W10 NTFS file system

Post Posted: Apr 25, 19 11:14

Hi all,

First of all i want to say hi, being new on this forum. Im new into the digital forensic world, but very interested and learning by the day.

At this moment i am trying to understand the recycle bin on w10. I think im getting the big picture, but there are still some things unclear.

FAT
I deleted a file on FAT32 system. The file itself gets transferred to the recycle bin as $I (metadata) and $R (the file itself).
Is the $R a copy of the file in another directory (the bin)?
Or does FAT create a new directory entry, renaming the original file, but using the original cluster where the file was placed. (so not making an extra copy) (At this stage, the FAT1/2 still allocates the cluster as 'occupied'?

When researching the disk with forensic software as FTK of Encase, the original Path where the file was deleted from shows as 'deleted' but also overwritten file.
Is this because there are two Direntrys pointing to the same cluster? (the bin and original)?

NTFS
ON NTFS it gets a bit more complicated for me.
Doing the same thing, FTK or Encase doesnt show a deleted and overwritten file in the original path. Why is this?
The www doesnt give me the exact answer.

Does W10 create a new entry in the MFT regarding the deleted file and deleted the original one?
Does W10 adjust the orginal MFT-entry 'moving' it to the reycle bin. There is not a second entry so thats why FTK or Encase shows no deletion/overwritten status?

I hope someone knows the answer. I hope my explanation is fully.

Kind regards,
Fissa.  
 
  

fissa
Newbie
 

Re: Recycle bin W10 NTFS file system

Post Posted: Apr 25, 19 11:45

Re-reading my question, makes me see that the real question is:
What happends in the $MFT after deleting a file to the recycle bin
&
What happends in the $MFT after deleting it skipping the recycle bin (shift + delete)  
 
  

jaclaz
Senior Member
 

Re: Recycle bin W10 NTFS file system

Post Posted: Apr 25, 19 13:20

If I may, it seems to me like your questions mix together three very different aspects:
1) what actually happens (on disk)
2) what the normal, default Windows (10 in this case) show through some user accessible/viewable representation about what happened or if you prefer how the OS attempts to represent what happened
3) How this (or that) forensic tool attempts to represent what happened

FAT tables, directory and file entries (and the $MFT and other metadata) are "on disk" and "belong" to the filesystem.
The RecycledBin is an OS "artifact" or "feature" and it is multi-disk/volume and "user centered".
The way this (or that) forensic tool represents (or fails to represent) the *whatever* data they extract by a number of different sources and reassemble in a "hyman readable" form is yet another "level of abstraction" (and it is very specific to the specific software at hand).

More to the last questions, I believe that nothing of very little has changed since 7 or 8 times (which also changed very little since 2000 or XP times), see here:
kcall.co.uk/ntfs/index.html

jaclaz

P.S.: on Vista and later (not mentioned in the above link) there is the addition of the $UsrJrnl, and some effects/records can be found in $LogFile too

You could explore the NTFS related nice tools by Joakim Schicht:
github.com/jschicht?ta...positories
and use them to make a few experiments.
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

thefuf
Senior Member
 

Re: Recycle bin W10 NTFS file system

Post Posted: Apr 25, 19 14:01

A simple test.

"Deleting" a file using a trash bin:
Code:
LSN: 8409711
Transaction ID: 24
Log record, redo operation: DeleteIndexEntryAllocation, undo operation: AddIndexEntryAllocation
Target (file reference number): 1407374883553285
Target (attribute name): $I30
Target path (from $MFT): /.
Offset in tagret: 1512
LCN(s): 36
Redo data:
-

Undo data:
00000000  2B 00 00 00 00 00 01 00-70 00 5E 00 00 00 00 00  +.......p.^.....
00000010  05 00 00 00 00 00 05 00-90 8C E0 ED 59 FB D4 01  ............Y...
00000020  C8 1B D9 F0 59 FB D4 01-02 AD D1 0B 5A FB D4 01  ....Y.......Z...
00000030  C8 1B D9 F0 59 FB D4 01-00 10 00 00 00 00 00 00  ....Y...........
00000040  C4 05 00 00 00 00 00 00-20 00 00 00 00 00 00 00  ........ .......
00000050  0E 00 74 00 65 00 73 00-74 00 5F 00 74 00 72 00  ..t.e.s.t._.t.r.
00000060  61 00 73 00 68 00 2E 00-74 00 78 00 74 00 5F 00  a.s.h...t.x.t._.

$FILE_NAME in index:
 * M timestamp: 2019-04-25 11:28:01.200840
 * A timestamp: 2019-04-25 11:28:01.200840
 * C timestamp: 2019-04-25 11:27:56.216436
 * E timestamp: 2019-04-25 11:28:46.450612
 * File name: test_trash.txt
 * Parent (file reference number): 1407374883553285
 * Parent path (from $MFT): /.


---

LSN: 8409736
Transaction ID: 24
Log record, redo operation: DeleteAttribute, undo operation: CreateAttribute
Target (file number): 43
Target path (from $MFT, likely wrong if the file was deleted later): /$RECYCLE.BIN/S-1-5-21-2377372389-1005799904-752891294-1001/$RK479CW.txt
Offset in tagret: 152
LCN(s): 262154
Redo data:
-

Undo data:
00000000  30 00 00 00 78 00 00 00-00 00 00 00 00 00 03 00  0...x...........
00000010  5E 00 00 00 18 00 01 00-05 00 00 00 00 00 05 00  ^...............
00000020  90 8C E0 ED 59 FB D4 01-90 8C E0 ED 59 FB D4 01  ....Y.......Y...
00000030  90 8C E0 ED 59 FB D4 01-90 8C E0 ED 59 FB D4 01  ....Y.......Y...
00000040  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
00000050  20 00 00 00 00 00 00 00-0E 00 74 00 65 00 73 00   .........t.e.s.
00000060  74 00 5F 00 74 00 72 00-61 00 73 00 68 00 2E 00  t._.t.r.a.s.h...
00000070  74 00 78 00 74 00 00 00                          t.x.t...

$FILE_NAME:
 * M timestamp: 2019-04-25 11:27:56.216436
 * A timestamp: 2019-04-25 11:27:56.216436
 * C timestamp: 2019-04-25 11:27:56.216436
 * E timestamp: 2019-04-25 11:27:56.216436
 * File name: test_trash.txt
 * Parent (file reference number): 1407374883553285
 * Parent path (from $MFT): /.


---

LSN: 8409762
Transaction ID: 24
Log record, redo operation: CreateAttribute, undo operation: DeleteAttribute
Target (file number): 43
Target path (from $MFT, likely wrong if the file was deleted later): /$RECYCLE.BIN/S-1-5-21-2377372389-1005799904-752891294-1001/$RK479CW.txt
Offset in tagret: 152
LCN(s): 262154
Redo data:
00000000  30 00 00 00 78 00 00 00-00 00 00 00 00 00 06 00  0...x...........
00000010  5A 00 00 00 18 00 01 00-29 00 00 00 00 00 01 00  Z.......).......
00000020  90 8C E0 ED 59 FB D4 01-C8 1B D9 F0 59 FB D4 01  ....Y.......Y...
00000030  02 AD D1 0B 5A FB D4 01-C8 1B D9 F0 59 FB D4 01  ....Z.......Y...
00000040  00 10 00 00 00 00 00 00-C4 05 00 00 00 00 00 00  ................
00000050  20 00 00 00 00 00 00 00-0C 00 24 00 52 00 4B 00   .........$.R.K.
00000060  34 00 37 00 39 00 43 00-57 00 2E 00 74 00 78 00  4.7.9.C.W...t.x.
00000070  74 00 00 00 00 00 00 00                          t.......

Undo data:
-

$FILE_NAME:
 * M timestamp: 2019-04-25 11:28:01.200840
 * A timestamp: 2019-04-25 11:28:01.200840
 * C timestamp: 2019-04-25 11:27:56.216436
 * E timestamp: 2019-04-25 11:28:46.450612
 * File name: $RK479CW.txt
 * Parent (file reference number): 281474976710697
 * Parent path (from $MFT): /$RECYCLE.BIN/S-1-5-21-2377372389-1005799904-752891294-1001


---

LSN: 8409788
Transaction ID: 24
Log record, redo operation: AddIndexEntryRoot, undo operation: DeleteIndexEntryRoot
Target (file number): 41
Target path (from $MFT, likely wrong if the file was deleted later): /$RECYCLE.BIN/S-1-5-21-2377372389-1005799904-752891294-1001
Offset in tagret: 512
LCN(s): 262154
Redo data:
00000000  2B 00 00 00 00 00 01 00-70 00 5A 00 00 00 00 00  +.......p.Z.....
00000010  29 00 00 00 00 00 01 00-90 8C E0 ED 59 FB D4 01  )...........Y...
00000020  C8 1B D9 F0 59 FB D4 01-02 AD D1 0B 5A FB D4 01  ....Y.......Z...
00000030  C8 1B D9 F0 59 FB D4 01-00 10 00 00 00 00 00 00  ....Y...........
00000040  C4 05 00 00 00 00 00 00-20 00 00 00 00 00 00 00  ........ .......
00000050  0C 00 24 00 52 00 4B 00-34 00 37 00 39 00 43 00  ..$.R.K.4.7.9.C.
00000060  57 00 2E 00 74 00 78 00-74 00 00 00 00 00 00 00  W...t.x.t.......

Undo data:
-

$FILE_NAME in index:
 * M timestamp: 2019-04-25 11:28:01.200840
 * A timestamp: 2019-04-25 11:28:01.200840
 * C timestamp: 2019-04-25 11:27:56.216436
 * E timestamp: 2019-04-25 11:28:46.450612
 * File name: $RK479CW.txt
 * Parent (file reference number): 281474976710697
 * Parent path (from $MFT): /$RECYCLE.BIN/S-1-5-21-2377372389-1005799904-752891294-1001


---

LSN: 8409813
Transaction ID: 24
Log record, redo operation: ForgetTransaction, undo operation: CompensationLogRecord
Unknown target, target attribute: 24
Unknown offset in target
Redo data:
-

Undo data:
-

Now, let's empty a trash bin:
Code:
LSN: 8410323
Transaction ID: 24
Log record, redo operation: ClearBitsInNonresidentBitMap, undo operation: SetBitsInNonresidentBitMap
Target (file reference number): 1688849860263942
Target (attribute name): 
Target path (from $MFT): /$Bitmap
Offset in tagret: 0
LCN(s): 262111
Redo data:
00000000  8A 0D 00 00 01 00 00 00                          ........

Undo data:
00000000  8A 0D 00 00 01 00 00 00                          ........


---

LSN: 8410335
Transaction ID: 24
Log record, redo operation: DeleteIndexEntryRoot, undo operation: AddIndexEntryRoot
Target (file number): 41
Target path (from $MFT, likely wrong if the file was deleted later): /$RECYCLE.BIN/S-1-5-21-2377372389-1005799904-752891294-1001
Offset in tagret: 512
LCN(s): 262154
Redo data:
-

Undo data:
00000000  2B 00 00 00 00 00 01 00-70 00 5A 00 00 00 00 00  +.......p.Z.....
00000010  29 00 00 00 00 00 01 00-90 8C E0 ED 59 FB D4 01  )...........Y...
00000020  C8 1B D9 F0 59 FB D4 01-05 97 9D 28 5A FB D4 01  ....Y......(Z...
00000030  C8 1B D9 F0 59 FB D4 01-00 10 00 00 00 00 00 00  ....Y...........
00000040  C4 05 00 00 00 00 00 00-20 00 00 00 00 00 00 00  ........ .......
00000050  0C 00 24 00 52 00 4B 00-34 00 37 00 39 00 43 00  ..$.R.K.4.7.9.C.
00000060  57 00 2E 00 74 00 78 00-74 00 00 00 00 00 00 00  W...t.x.t.......

$FILE_NAME in index:
 * M timestamp: 2019-04-25 11:28:01.200840
 * A timestamp: 2019-04-25 11:28:01.200840
 * C timestamp: 2019-04-25 11:27:56.216436
 * E timestamp: 2019-04-25 11:29:34.763188
 * File name: $RK479CW.txt
 * Parent (file reference number): 281474976710697
 * Parent path (from $MFT): /$RECYCLE.BIN/S-1-5-21-2377372389-1005799904-752891294-1001


---

LSN: 8410360
Transaction ID: 24
Log record, redo operation: DeleteIndexEntryRoot, undo operation: AddIndexEntryRoot
Target (file number): 25
Target path (from $MFT, likely wrong if the file was deleted later): /$Extend/$ObjId
Offset in tagret: 408
LCN(s): 262150
Redo data:
-

Undo data:
00000000  20 00 38 00 00 00 00 00-58 00 10 00 00 00 00 00   .8.....X.......
00000010  0E 05 49 C2 4C 67 E9 11-8F CB 52 54 00 12 34 56  ..I.Lg....RT..4V
00000020  2B 00 00 00 00 00 01 00-00 00 00 00 00 00 00 00  +...............
00000030  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
00000040  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
00000050  00 00 00 00 00 00 00 00                          ........


---

LSN: 8410382
Transaction ID: 24
Log record, redo operation: DeallocateFileRecordSegment, undo operation: InitializeFileRecordSegment
Target (file number): 43
Target path (from $MFT, likely wrong if the file was deleted later): /$RECYCLE.BIN/S-1-5-21-2377372389-1005799904-752891294-1001/$RK479CW.txt
Offset in tagret: 0
LCN(s): 262154
Redo data:
-

Undo data:
00000000  46 49 4C 45 30 00 03 00-4F 54 80 00 00 00 00 00  FILE0...OT......
00000010  01 00 01 00 38 00 01 00                          ....8...


---

LSN: 8410396
Transaction ID: 24
Log record, redo operation: ClearBitsInNonresidentBitMap, undo operation: SetBitsInNonresidentBitMap
Target (file reference number): 281474976710656
Target (attribute name): 
Target path (from $MFT): /$MFT
Offset in tagret: 0
LCN(s): 262143
Redo data:
00000000  2B 00 00 00 01 00 00 00                          +.......

Undo data:
00000000  2B 00 00 00 01 00 00 00                          +.......


---

LSN: 8410408
Transaction ID: 24
Log record, redo operation: ForgetTransaction, undo operation: CompensationLogRecord
Unknown target, target attribute: 24
Unknown offset in target
Redo data:
-

Undo data:
-

So, a file is renamed (moved) when "deleted" to a trash bin.

Doing the same thing, FTK or Encase doesnt show a deleted and overwritten file in the original path. Why is this?


An original path can be shown if an index entry (not to be confused with an $MFT entry) isn't overwritten.  
 
  

jaclaz
Senior Member
 

Re: Recycle bin W10 NTFS file system

Post Posted: Apr 25, 19 15:12

- thefuf
A simple test.

Simple Smile , but not simply repeatable Sad unless you describe what tools/commands you used to obtain the posted output.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

thefuf
Senior Member
 

Re: Recycle bin W10 NTFS file system

Post Posted: Apr 25, 19 15:18

- jaclaz
- thefuf
A simple test.

Simple Smile , but not simply repeatable Sad unless you describe what tools/commands you used to obtain the posted output.

jaclaz


A drive with an NTFS file system + dfir_ntfs. The output is from the $LogFile journal.  
 
  

fissa
Newbie
 

Re: Recycle bin W10 NTFS file system

Post Posted: Apr 26, 19 05:58

Thanks Jaclaz and Thefuf for your efforts.

The link kcall.co.uk/ntfs/index.html was very usefull. I think i get it now, approaching the deletion and the recycle bin as two separate 'things'.
So if i delete a file on NTFS it also gets flagged as deleted, just like FAT flaggs his deleted files.
But when the recyclerbin comes into the game it changes a bit: The file still gets flagged as deleted, but i also gets renamed in the MFT to the name the recycler gives it (starting with $R in W10). The OS keeps the deleted file as a live file and doesnt unallocate the cluster in the BITMAP free for use, so it cant be overwritten. This takes in place when you delete the file from the recycler.


- thefuf


Doing the same thing, FTK or Encase doesnt show a deleted and overwritten file in the original path. Why is this?


An original path can be shown if an index entry (not to be confused with an $MFT entry) isn't overwritten.


How must i interpretate this? I am indeed confused with the $MFT entry right now...


With kind regards.  
 

Page 1 of 2
Page 1, 2  Next