Forums
Main Category
General (Technical,...
Win 9x INFO file fo...
 
Notifications
Clear all

Win 9x INFO file format

 
General (Technical, Procedural, Software, Hardware etc.)
Last Post by twjolson 14 years ago
6 Posts
3 Users
0 Reactions
338 Views
RSS
 twjolson
(@twjolson)
Honorable Member
Joined: 17 years ago
Posts: 417
Topic starter 15/09/2011 12:04 am  

I have searched off and on for several days now, but I can't seem to find any white papers or web pages that show how the Win 9x INFO file is formated. All I know is that the entries are 280 bytes instead of 800.

I'm looking for a paper with offsets and explanations. Something that will allow me to parse it by hand.

Any help would be much appreciated.


   
Quote
harryparsonage
 harryparsonage
(@harryparsonage)
Estimable Member
Joined: 20 years ago
Posts: 184
15/09/2011 2:51 am  

I haven't checked it but is this any good?

http//freefr.dl.sourceforge.net/project/odessa/ODESSA/White%20Papers/Recycler_Bin_Record_Reconstruction.pdf

H


   
ReplyQuote
 twjolson
(@twjolson)
Honorable Member
Joined: 17 years ago
Posts: 417
Topic starter 15/09/2011 7:18 am  

It's decent enough, I have read it before when researching Win XP style INFO2 records. But I am aiming for Win 9x style


   
ReplyQuote
jaclaz
 jaclaz
(@jaclaz)
Illustrious Member
Joined: 18 years ago
Posts: 5133
15/09/2011 4:30 pm  

It's decent enough, I have read it before when researching Win XP style INFO2 records. But I am aiming for Win 9x style

See if this info is enough
http//books.google.com/books?id=DQdWRitMcyAC&printsec=frontcover&hl=it#v=onepage&q&f=false
go to page 147.
http//books.google.com/books?id=xNjsDprqtUYC&printsec=frontcover&hl=it#v=onepage&q&f=false
go to pages 254/255

some (scarce) info can be gathered from this perl thingy here
http//www.t8o.org/~mca1001/cgi/viewcvs/*checkout*/bin/W9x_unrecycle.pl

There is some (equally scarce) info in the "magic" file for "file()"
https://gist.github.com/gists/983632/download

# Windows Recycle Bin record file (named INFO2)
# By Abel Cheung (abelcheung AT gmail dot com)
# Version 4 always has 280 bytes (0x118) per record, version 5 has 800 bytes
# Since Vista uses another structure, INFO2 structure probably won't change
# anymore. Detailed analysis in
# http//www.cybersecurityinstitute.biz/downloads/INFO2.pdf
0 lelong 0x00000004
>12 lelong 0x00000118 Windows Recycle Bin INFO2 file (Win98 or below)

0 lelong 0x00000005
>12 lelong 0x00000320 Windows Recycle Bin INFO2 file (Win2k - WinXP)

but still it is mostly related to the newer version, but we now know of the existence of a "version 4" and of a "version 5"

There is a paper by Geoff H.Fellows
The joys of complexity and the deleted file
that may provide some mopre info, but I couldn't find a non-pay version to check
http//www.sciencedirect.com/science/article/pii/S1742287605000289

But doesn't RIFIUTI parse that file?

jaclaz


   
ReplyQuote
 twjolson
(@twjolson)
Honorable Member
Joined: 17 years ago
Posts: 417
Topic starter 16/09/2011 1:46 am  

Thanks jaclaz. I don't have a chance to look at these now, but I will when i get home. Thanks.

Rifiuti does parse them, as far as I've heard, but I haven't had a chance to use that to reverse engineer the INFO2 records yet. Time is ever short for me nowdays. Plus, I didn't want to waste time reinventing the wheel.


   
ReplyQuote
 twjolson
(@twjolson)
Honorable Member
Joined: 17 years ago
Posts: 417
Topic starter 18/09/2011 1:51 am  

Yea, those links didn't help much. Sorry.

Rifiuti does parse Win98 and later Info2 records (Not Win 95 INFO records), but not always correctly. In my test, had the date or time wrong on 3 of the 5 records.

I don't see any filetime timestamps, not surprisingly, but I can't even find any dos timestamps either.

So far, I'll I've picked out were the path and deleted name. Go for the low hanging fruit first, I always say!


   
ReplyQuote
Forum Jump:
  Previous Topic
Next Topic  
Share: