Notifications
Clear all

INFO2 file details

10 Posts
4 Users
0 Likes
1,170 Views
(@subujoseph)
Posts: 51
Trusted Member
Topic starter
 

Hello Everyone,

I am kind of drawing a blank here.
I am looking at INFO2 entries from an XP image. What happens to an INFO2 entry once the file is restored from the recycle bin?
I don't have access to an XP machine to do a bit of research. If anyone knows the answer it would be really appreciated.

Many Thanks.

 
Posted : 22/05/2013 4:48 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

I did a quick Google search and found several pages/sites that had references to what you're looking for/at, but they were older (circa 2004, etc.).

What I might suggest is that you try testing it.

 
Posted : 22/05/2013 5:18 pm
(@twjolson)
Posts: 417
Honorable Member
 

As I recall, when a file is restored the first letter of the path (which should be the drive letter) gets changed from the drive letter to NULL. It does this when the file is deleted out of the Recycle Bin as well (Not emptied, as that will create a new INFO2 file and puts the old one, and its entries, in unallocated space).

If you are looking to recover unallocated entries, the Case Processor does a pretty decent job. More than a few false positives though. So make sure you validate it or know how to parse the results out by hand.

 
Posted : 22/05/2013 6:18 pm
(@subujoseph)
Posts: 51
Trusted Member
Topic starter
 

Thanks keydet89,

I also did a google search and all the literature available on the topic are old. The other option is to test it out. I might do that.

 
Posted : 22/05/2013 6:41 pm
(@subujoseph)
Posts: 51
Trusted Member
Topic starter
 

Thanks twjolson,

I think your are right. I suspected it because as you said there are certain entries in the INFO2 file which doesn't have the drive letter in the beginning. Also, the files are live on the disk. So it would appear that the files were put in the recycle bin and then restored it later.

Is there a way to find the date when the file was restored from the recycle bin? Also will the creation date of the restored file change once it is put in recycle bin and later restored? I think 'creation date' of the file won't change but I am not sure.

Many thanks for your help.

 
Posted : 22/05/2013 7:01 pm
(@twjolson)
Posts: 417
Honorable Member
 

Thanks twjolson,
So it would appear that the files were put in the recycle bin and then restored it later.

If the same file is found at the same path, with the same file size as is noted in the INFO2 record, yea I would say that more than likely it was restored. There is nothing indisputable that would say, "This file was restored", and an opposing expert could always argue the opposite (and may not be wrong). That is, as long as it is not too generic, like desktop.ini or something.

Is there a way to find the date when the file was restored from the recycle bin?

I do not believe that information is logged anywhere. You MIGHT get lucky and be able to use the Entry Modified timestamp, but you'd never be able to say why it was modified (I am, of course, assuming NTFS as the file system). The other option is $LogFile and $UrnJrnl, though I know so very little about those, save that if the restoration happened far enough back in time, the records would have been purged.

Searching for the file name is always a good option. Who knows what you'll find.

Also will the creation date of the restored file change once it is put in recycle bin and later restored? I think 'creation date' of the file won't change but I am not sure.

I doubt the created or modified timestamps would change, as moving to/from the Recycle Bin is mostly like moving to/from any other folder. I guess if the restore moved the file to another file system, some timestamps may get updated.

As always, test it yourself. You don't know me, I could be completely full of it.

 
Posted : 22/05/2013 7:27 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Is there a way to find the date when the file was restored from the recycle bin? Also will the creation date of the restored file change once it is put in recycle bin and later restored? I think 'creation date' of the file won't change but I am not sure.

Great questions, honestly.

Why not test it out and share your methodology and findings with the group?

 
Posted : 22/05/2013 7:27 pm
(@subujoseph)
Posts: 51
Trusted Member
Topic starter
 

Hi twjolson

Thanks. Your reply was most informative. Very much appreciated.

Now I have to test it. I will do that as soon as I get hold of a XP machine.

 
Posted : 22/05/2013 8:19 pm
(@subujoseph)
Posts: 51
Trusted Member
Topic starter
 

Thanks keydet89

I hope to find some results soon, provide i get an XP machine

 
Posted : 22/05/2013 8:42 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Just in case, rifiuti and rifiuti2
http//www.mcafee.com/us/downloads/free-tools/rifiuti.aspx
http//code.google.com/p/rifiuti2/

Original whitepaper
http//sourceforge.net/projects/odessa/files/ODESSA/White%20Papers/
http//downloads.sourceforge.net/project/odessa/ODESSA/White%20Papers/Recycler_Bin_Record_Reconstruction.pdf?r=http%3A%2F%2Fsourceforge.net%2Fprojects%2Fodessa%2Ffiles%2FODESSA%2FWhite%2520Papers%2F&ts=1369389400&use_mirror=switch

jaclaz

 
Posted : 24/05/2013 2:57 pm
Share: