Notifications

Clear all

strange recycle bin phenomena

lasvegascop · 2015-03-02T21:20:18Z

I have a situation where the head of the household (dad) was arrested for possession of child porn due to P2P downloads.Dad lives in a house with several other adults including his adult child and a child under 18.Everyone in the house uses the same computer.Dad is adamant that he did not download, view or possess in any way any CP. Dad did state that he is constantly monitoring his kids usage and checking the computer after his children use it and always checks the recycle bin for deleted files and always empties it, but has never noticed any CP.Dad appears not to be very computer savvy.THe computer was seized by LE and an image (E01s) were created with FTK. The investigating detective discovered CP in the recycle bin with many other files as well as the shared folder of the P2P program.I looked at the images and I verified that the recycler did appear to contain many CP files.It appeared to me that the recycle bin had not been emptied in a long time and it contained gigs of files including CP.The client (Dad) then advised me that he knows that he had emptied the recycle bin prior to the day of seizure.We then went back to ICAC and mounted and booted the E01s to view the image as a running computer as the computer operator would have seen it.THe recycle bin shows empty in the virtual mounted images just as the client stated it should be.What could cause the FTK report to show files in the recycler when the booted image shows a empty recycle bin? I will need to go back to ICAC and view the images again soon hopefully with some ideas from the group.Since these images contain CP I have to go to the ICAC off site office to do any viewing of the computer and I am limited as to what I can take from there. THis is a Vista OS.FYI, my goal here is not to get any viewer, possessor, or downloader of CP set free, it is to make sure the right person pays for the crime and an innocent man does not go to prison.Larry

Page 3 / 3 Prev

General (Technical, Procedural, Software, Hardware etc.)

Last Post by lasvegascop 10 years ago

22 Posts

9 Users

0 Reactions

4,222 Views

RSS

pbobby

(@pbobby)

Estimable Member

Joined: 16 years ago

Posts: 239

18/03/2015 7:11 pm

I can copy data to C\$Recycle.Bin by hand (say, from a command shell) - and it won't appear in the Recycle Bin via Windows Explorer because it's in the top level of the folder, with no desktop.ini (Windows Explorer displays the content in the SID folder for the currently logged in user)

But of course the data shows up when viewed with FTK.

Some Malware will hide data in the Recycle Bin this way.

Was this data in the top level folder of the Recycle bin?

ReplyQuote

lasvegascop

(@lasvegascop)

Trusted Member

Joined: 12 years ago

Posts: 98

Topic starter 18/03/2015 7:49 pm

Yes, it was.
Here is the path + the SID. One thing that I noticed right away is that the RID is not the same RID as the user account (1001)

THere were hundreds of files in the C\$Recycle.bin and there were many RIDs used from 1002, 1007 to 1161 but only one user account.

\C\$Recycle.Bin\S-1-5-21-2228628257-2297675940-1808716662-1002

I also discovered that there is a hidden user that was created named Test.
The user Test was created as a Domain user rather than a Local User and had a Primary Group Number of 0 as opposed to 513 like the regular user accounts.

C\$Recycle.Bin\S-1-5-21-2228628257-2297675940-1808716662-
1007\test\Downloads

On the second path there is the "test" showing up but I am not at the forensic computer right now to see if the \test\ is a user name, or a folder. Any ideas on that?.

Larry

ReplyQuote

Page 3 / 3 Prev

8 Forums
15.7 K Topics
92.3 K Posts
226 Online
41.1 K Members

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed