Notifications
Clear all

INFO2 file details  

  RSS
subujoseph
(@subujoseph)
Member

Hello Everyone,

I am kind of drawing a blank here.
I am looking at INFO2 entries from an XP image. What happens to an INFO2 entry once the file is restored from the recycle bin?
I don't have access to an XP machine to do a bit of research. If anyone knows the answer it would be really appreciated.

Many Thanks.

Quote
Posted : 22/05/2013 5:48 pm
keydet89
(@keydet89)
Community Legend

I did a quick Google search and found several pages/sites that had references to what you're looking for/at, but they were older (circa 2004, etc.).

What I might suggest is that you try testing it.

ReplyQuote
Posted : 22/05/2013 6:18 pm
twjolson
(@twjolson)
Active Member

As I recall, when a file is restored the first letter of the path (which should be the drive letter) gets changed from the drive letter to NULL. It does this when the file is deleted out of the Recycle Bin as well (Not emptied, as that will create a new INFO2 file and puts the old one, and its entries, in unallocated space).

If you are looking to recover unallocated entries, the Case Processor does a pretty decent job. More than a few false positives though. So make sure you validate it or know how to parse the results out by hand.

ReplyQuote
Posted : 22/05/2013 7:18 pm
subujoseph
(@subujoseph)
Member

Thanks keydet89,

I also did a google search and all the literature available on the topic are old. The other option is to test it out. I might do that.

ReplyQuote
Posted : 22/05/2013 7:41 pm
subujoseph
(@subujoseph)
Member

Thanks twjolson,

I think your are right. I suspected it because as you said there are certain entries in the INFO2 file which doesn't have the drive letter in the beginning. Also, the files are live on the disk. So it would appear that the files were put in the recycle bin and then restored it later.

Is there a way to find the date when the file was restored from the recycle bin? Also will the creation date of the restored file change once it is put in recycle bin and later restored? I think 'creation date' of the file won't change but I am not sure.

Many thanks for your help.

ReplyQuote
Posted : 22/05/2013 8:01 pm
twjolson
(@twjolson)
Active Member

Thanks twjolson,
So it would appear that the files were put in the recycle bin and then restored it later.

If the same file is found at the same path, with the same file size as is noted in the INFO2 record, yea I would say that more than likely it was restored. There is nothing indisputable that would say, "This file was restored", and an opposing expert could always argue the opposite (and may not be wrong). That is, as long as it is not too generic, like desktop.ini or something.

Is there a way to find the date when the file was restored from the recycle bin?

I do not believe that information is logged anywhere. You MIGHT get lucky and be able to use the Entry Modified timestamp, but you'd never be able to say why it was modified (I am, of course, assuming NTFS as the file system). The other option is $LogFile and $UrnJrnl, though I know so very little about those, save that if the restoration happened far enough back in time, the records would have been purged.

Searching for the file name is always a good option. Who knows what you'll find.

Also will the creation date of the restored file change once it is put in recycle bin and later restored? I think 'creation date' of the file won't change but I am not sure.

I doubt the created or modified timestamps would change, as moving to/from the Recycle Bin is mostly like moving to/from any other folder. I guess if the restore moved the file to another file system, some timestamps may get updated.

As always, test it yourself. You don't know me, I could be completely full of it.

ReplyQuote
Posted : 22/05/2013 8:27 pm
keydet89
(@keydet89)
Community Legend

Is there a way to find the date when the file was restored from the recycle bin? Also will the creation date of the restored file change once it is put in recycle bin and later restored? I think 'creation date' of the file won't change but I am not sure.

Great questions, honestly.

Why not test it out and share your methodology and findings with the group?

ReplyQuote
Posted : 22/05/2013 8:27 pm
subujoseph
(@subujoseph)
Member

Hi twjolson

Thanks. Your reply was most informative. Very much appreciated.

Now I have to test it. I will do that as soon as I get hold of a XP machine.

ReplyQuote
Posted : 22/05/2013 9:19 pm
subujoseph
(@subujoseph)
Member

Thanks keydet89

I hope to find some results soon, provide i get an XP machine

ReplyQuote
Posted : 22/05/2013 9:42 pm
jaclaz
(@jaclaz)
Community Legend
Share: