Notifications

Clear all

strange recycle bin phenomena

lasvegascop · 2015-03-02T21:20:18Z

I have a situation where the head of the household (dad) was arrested for possession of child porn due to P2P downloads.Dad lives in a house with several other adults including his adult child and a child under 18.Everyone in the house uses the same computer.Dad is adamant that he did not download, view or possess in any way any CP. Dad did state that he is constantly monitoring his kids usage and checking the computer after his children use it and always checks the recycle bin for deleted files and always empties it, but has never noticed any CP.Dad appears not to be very computer savvy.THe computer was seized by LE and an image (E01s) were created with FTK. The investigating detective discovered CP in the recycle bin with many other files as well as the shared folder of the P2P program.I looked at the images and I verified that the recycler did appear to contain many CP files.It appeared to me that the recycle bin had not been emptied in a long time and it contained gigs of files including CP.The client (Dad) then advised me that he knows that he had emptied the recycle bin prior to the day of seizure.We then went back to ICAC and mounted and booted the E01s to view the image as a running computer as the computer operator would have seen it.THe recycle bin shows empty in the virtual mounted images just as the client stated it should be.What could cause the FTK report to show files in the recycler when the booted image shows a empty recycle bin? I will need to go back to ICAC and view the images again soon hopefully with some ideas from the group.Since these images contain CP I have to go to the ICAC off site office to do any viewing of the computer and I am limited as to what I can take from there. THis is a Vista OS.FYI, my goal here is not to get any viewer, possessor, or downloader of CP set free, it is to make sure the right person pays for the crime and an innocent man does not go to prison.Larry

Page 2 / 3 Prev Next

General (Technical, Procedural, Software, Hardware etc.)

Last Post by lasvegascop 10 years ago

22 Posts

9 Users

0 Reactions

4,221 Views

RSS

keydet89

(@keydet89)

Famed Member

Joined: 21 years ago

Posts: 3568

03/03/2015 5:16 am

Possibility…

Since VISTA uses the /$Recycle.bin folder I am pretty certain that it is an "invisible" folder.
Therefore it may not be visible to the user when they look into the recycle bin from the desktop.

FOrensic software like FTK would be able to see it though

I will have to find me a VIsta computer and research and test this..

Vista uses a similar folder structure for the Recycle Bin as seen on XP/2003 systems, but instead of the INFO2 file, uses index ($Ixxxx) and resource ($Rxxxx) files.

However, the folder is still a "special" folder on Windows systems. As such, I would recommend that you take a moment to look at the folder in FTK Imager, and see if the files are marked with red Xs…

ReplyQuote

jaclaz

(@jaclaz)

Illustrious Member

Joined: 18 years ago

Posts: 5133

03/03/2015 5:41 am

Just an idea, but maybe you could try seeing what Rifiuti2 "sees"
http//code.google.com/p/rifiuti2/

jaclaz

Windows Vista and later no longer uses the INFO2 file.
Instead it uses the /$Recycle.bin older

And not-so-casually I pointed you to Rifiuti 2 , i.e.the updated version compatible UNLIKE Rifiuti 1 with the new Vista Recycle Bin .
jaclaz

ReplyQuote

joakims

(@joakims)

Estimable Member

Joined: 15 years ago

Posts: 224

04/03/2015 5:37 am

You could also consider parsing $UsnJrnl/$LogFile, to get some more insight into what happened on the filesystem over time. Analysis of $MFT only tells you some information at 1 point in time.

But then again, you did not say what filesystem this is, and I just assumed NTFS since I heard Vista..

ReplyQuote

lasvegascop

(@lasvegascop)

Trusted Member

Joined: 12 years ago

Posts: 98

Topic starter 04/03/2015 5:50 am

Thanks joakims.. BTW, yes, it is NTFS

ReplyQuote

BERT_UK

(@bert_uk)

Active Member

Joined: 19 years ago

Posts: 11

06/03/2015 4:40 pm

Microsoft have a KB article that might be this particular issue as it reads like the symptoms are those as described by your user (i.e. bin emptied, but no content shown in Windows"

"Files Are Not Deleted From Recycler Folder

When you empty the Recycle Bin in Windows, the files may not be deleted from your hard disk.

NOTE You cannot view these files using Windows Explorer, My Computer, or the Recycle Bin."

Full article http//support.microsoft.com/kb/229041

Alternatively as I mentioned before it could be old historic SID's that have been orphaned.

I've seen cases where there are numerous SID's hanging off the Recycle Bin but only one of two actual user accounts. It seems that users go their own unorthodox methods of removing accounts by simply deleting the user profile directory from their \Users\ (or where ever) path rather than using the Windows add\remove account procedure which then leaves behind lots of orphaned artifacts.

ReplyQuote

lasvegascop

(@lasvegascop)

Trusted Member

Joined: 12 years ago

Posts: 98

Topic starter 06/03/2015 8:36 pm

I've seen cases where there are numerous SID's hanging off the Recycle Bin but only one of two actual user accounts. It seems that users go their own unorthodox methods of removing accounts by simply deleting the user profile directory from their \Users\ (or where ever) path rather than using the Windows add\remove account procedure which then leaves behind lots of orphaned artifacts.

After a little more investigation I believe that this is whats happening.
THe /$recycle.bin reveals that a user /test/ had deleted these items. There is no user Test plainly visible in the users accounts. So, I believe someone created the user Test then downloaded the files and deleted the user Test.
Therefore, when you look at the recycle bin as the main user the bin appears empty.

I am looking now at the registry to see if I can find any evidence of the deleted user Test.

LArry

ReplyQuote

UnallocatedClusters

(@unallocatedclusters)

Honorable Member

Joined: 13 years ago

Posts: 576

07/03/2015 5:59 am

Hello,

You may find interesting information here (http//www.irongeek.com/i.php?page=security/windows-forensics-registry-and-file-system-spots#Event logs)

For example, if you wanted to determine which wired or wireless network the computer was connected to during the usage of the now deleted "Test" user account, you could export the Windows Event Logs (stored in C\Windows\System32\config or C\Windows\System32\winevt\Logs depending on OS) for analysis from the forensic image files using FTK Imager to a folder on an analysis hard drive.

I use Event Log Explorer (http//www.eventlogxp.com/) to ingest exported Event log files (*.EVT files), which then allows one to search by SID.

There are tens of different event logs on a given PC, and I do not recall the specific log name or log names, but there is definitely at least one event log that shows

1) the network name connected to
2) the Windows SID that was logged in during the time the network was connected to
3) date/time network was connected to

This information could reveal if the "Test" user was connected to a Starbucks wifi or the home wifi network when torrenting the contraband.

I only practice in civil litigation, so I am not sure if the above information would be helpful to your situation.

I did have a case that involved a person creating and subsequently deleting a user account in order to delete volume shadow copies.

I recall that TZWorks' tools allowed me to carve the MFT and reveal relevant information.

Also, OSForensics (Passmark.com) extracted the deleted account, number of logins, etc., so you might want to get a demo copy of OSForensics to see what it can reveal. OSForensics works great with FTK Imager - mounted forensic images. Just make sure to mount the forensic image files in FTK Imager as read and write, not read only.

*** Thank you for the work you perform protecting our community. It is greatly appreciated.

Larry

ReplyQuote

lasvegascop

(@lasvegascop)

Trusted Member

Joined: 12 years ago

Posts: 98

Topic starter 07/03/2015 6:59 am

Thanks unallocatedclusters.

I actually went there this AM and grabbed all the WinEvnt logs and I will analyze them tonight.

Thanks for the IronGeek URL and the tool tips.

Very helpful,
Thanks, Larry

ReplyQuote

jhup

(@jhup)

Noble Member

Joined: 16 years ago

Posts: 1442

10/03/2015 5:33 pm

…

I am looking now at the registry to see if I can find any evidence of the deleted user Test.

LArry

By default the RID sequence does not change, and previous RIDs will not be reused.

ReplyQuote

zoltandfw

(@zoltandfw)

Eminent Member

Joined: 13 years ago

Posts: 27

11/03/2015 6:00 am

In some of the replies, it was suggested that you might be seeing deleted Recycle.Bin records. Even tough, it is possible to see them, it is very unlikely that they will stick around since they are regular file entries in MFT. $I….. is a resident file with original logical file size, deletion date/time, and original file location/name. The $R….. is the original file MFT record with an added $40 ($VOLUME_VERSION) attribute.

So, when the file is removed from the Recycle.Bin, the MFT record is restored for the $R……. and the $I record made available again. If the file is deleted from the Recycle.Bin, then both records will be made available for overwrite. Thus, if you are fast enough, then you might see them, but it is very unlikely to have them if the system was used after the clearing of the recycle bin. That just reinforces the value of pulling the plug when collecting evidence.

I'm glad you found the deleted Test account, so you are on your way to find the answers. I still think, that Internet artifact and timeline analysis will help you find out who was "messing" with the system. If they are not technical at all, then they will search info on the Internet to find answers. Timeline of other non-related activity on the system will give a good idea who was using the system at the time when the account was created and removed for a more precise identification of an individual. If that works, you might see a search to find an answer to a homework question or a chat session with a girlfriend. You might even find artifacts in the "cloud" like DropBox that will also help identify and single out a person.

Good luck.

ReplyQuote

Page 2 / 3 Prev Next

8 Forums
15.7 K Topics
92.3 K Posts
203 Online
41.1 K Members

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed