Hi all,
Quick question, I am trying to find the file deleted date for a file in a recycle bin.
However the file is present, but the file itself does not show up in the INFO2 file in that folder. I assume that is because the recycle bin was purged at some stage and the INFO2 file was deleted and a new one started.
Is there a way to find the file deleted date from the file itself?
Currently the process we are thinking of using is
carve unallocated / slack space for all INFO2 files that can be found on the subject image.
Search all the found INFO2 files for the file names to see if we can find them.
Is there a better way to do this?
I noticed that when carving with enscript recycle bin info record finder, it doesn't provide deleted date.
Thanks!
What tool(s) have you been using so far to parse the INFO2 file(s)? Version of Windows?
Encase and FTK. I noticed that FTK does work better and provides the information that we require from the INFO2.
However we were planning on using Encase (at least for the data carving) as the person with the image has a encase dongle and not a FTK dongle.
We can use FTK to examine the INFO2 files found as it will be under the size required to use the dongle.
Version of windows is xp. not sure of the service pack at this time.
To clarify/understand - the file has a "Is Deleted" show true marker but is not present in the INFO2 record(s)?
Think I may have confused the issue.
The real question is What happens when a folder is sent to the recycling bin? Does each item in the folder get a line in the INFO2, or is there one line for the folder?
I have the following
recycled\SID\foldernamex
Which has several subfolders. The files we are investigating are in thise subfolders.
In the INFO2 I have
Dc19. FolderA\Foldernamex
I assume that this is the only line in the INFO2 for this deleted folder and that the individual files in this folder will not have their own lines in the INFO2 file.
If this is correct please let me know as I therefore have the information I am searching for )
Quick breakdown of the INFO2 record…
with
And at risk of sounding smarter than I am I will point you to two books for reference to the INFO2 record.
Harlan Carvey's book - Windows Forensic Analysis DVD Toolkit 2E has great info in chapter 5 as well as Perl script on the accompanying DVD.
And Steve Bunting's write it up as well in the EnCE Study Guide.
I would only be plagiarizing what both of them have already published so well 😉
Kieth Jones at Foundstone has a free utility as well as a good white paper on the subject as well.
So….did you answer your question?
Don't know if I'm over simplifying things here but wouldn't the last modified date be a relyable indicator? I say this as the file modified holds info pertaining to the MFT entry and the MFT entry path gets changed the moment it moves into the recycle bin..? I know this isn't solid proof as the user could edit the MFT entry themselves somehow and this would also change the modified date.
In a case I was working on where evidence was discovered by a very helpful technician working for a popular PC repair shop 😉 😉 The technician signed a statement saying he took a random folder out the recycle bin 'to see if it had a virus' (Rather than scanning the recycler like a normal person) and the modified dates for the images showed the date he 'checked for the virus', wouldn't this work the other way around?
My thoughts are the same as 'stezer2000', the last modified should represent a reliable enough indicator. Recovered unallocated data could be argued to be a less reliable indicator in court, and would bring in the argument of overwritten data.
It's been a while since I used this part of my brain, so I may be wrong.
Upon deleting a folder, the folder and all of its children get moved to the Recycle Bin. Only the parent folder gets an INFO2 entry.
Thus, you can find out the deleted date by looking at the deleted date of the parent folder.
If none can confirm this, it would be easy enough to experimentally verify. Well, you should do that on your own anyways, but I digress.
Unfortunately the Recycle Bin is only for users to have a false sense of security and actually muddles things a bit from a investigative perspective because it has to add it's 2 cents when files pass in and out of that directory. It is important to understand three things - the role of the MFT, the role of the Recycle Bin and how they work together.
My approach is to look at deleted file/folder as such and then to see if they "touched" the Recycle Bin in the process. Then you can correlate the modified and access times as such and compare to INFO2 records.
Don't focus to heavily on how the data is interpreted in EnCase or FTK. Look at it from the base level of the way the NTFS file system works and the information (bytes) are recorded in the MFT records.
The INFO2 file will contain a single record for each deleted file or folder 800 bytes in length. But you want to know what happens when MULTIPLE files in a directory are deleted. What happened when you tested this?