$Recycle.Bin Forensics: Analysis of $I (metadata file) and $R (actual content)

 

Forensic Insight into Windows 10 $Recycle.Bin 


In Windows 10, the deleted files are temporarily located in "C:\$Recycle.Bin>", a sub directory under root directory. The completion of file deletion process yields two separate files placed within the $Recycle.Bin path, as follows:
  • $I – Contains metadata specific to the deleted file (original file name path, file size, deletion timestamp, file name size and, file name).
  • $R – Contains the actual contents of the file.
The two files ($I and $R) corresponding to the deleted file are named/suffixed with a random six character value after $I and $R, resulting into a 8–character file name.

The system creates SID based folders corresponding to each user account. In the SID sub-folder, you will find the SID of the user who deleted the file. Each time a user deletes a file from the Recycle Bin, a sub-folder is created for them. As per the requirement an analyst can analyse the contents inside the SID sub-folders. 

Let’s have an example :


Step 1 :

Below there are 2 files , a .pdf & .jpg file. We are going to delete both these files and again delete these files from the recycle bin also, since we need to recover these files.



Step 2 :

Now open the command prompt and run as administrator.

To view the hidden files type dir /a and then we can see the $Recycle.Bin folder on the second line.



Step 3 :

Now change the directory to $Recycle.Bin by typing “cd $Recycle.Bin” and to see files under the Recycle Bin directory type “dir /a”. The SID folders are illustrated below. 



Step 4 :

In order to determine the SID's username and other associated SID’s the following command can be used:

wmic useraccount get name,sid  


Now I’m currently logged in as ASUS (my user account), so it is the folder in which my recycle bin activities are stored. Here, "S-1-5-21-1047769458-955421739-3628953373-1001" is associated with user account named ASUS


Step 5 :

Let’s get into the SID folder by entering the below command:

                        cd S-1-5-21-1047769458-955421739-3628953373-1001  


As we want recover the files that was deleted on 27-02-2022, so we can see that there are two $I files containing the meta data details & two $R file containing the actual content of the file.

Step 6 :

Now we can copy the $R and $I file to a recovery folder by using copy command as show below:

Syntax :     copy  “$R file name”  “ recovery folder location”

                                        

                   copy  “$I file name”  “ recovery folder location”


Now we can see that the $I and $R files are recovered/copied in the RecoveryData folder. 


Step 7 :

The following custom developed python code may be used to recover the meta data of the files that were deleted i.e., $I file. The $I file hold the following data structure, which can be followed for the extraction of such crucial information. 



The Python code is provided below for the better understanding and smooth implementation.

import struct

import datetime

fileobj = open("C:\\Users\\ASUS\\OneDrive\\Desktop\\RecoveryData\\$I4ARIVC.jpg","rb")

data=fileobj.read()

print(data)

 

def FromFileTime(filetime):

    if filetime<0:

        return None

    timestamp = filetime / 10

  

    time1=datetime.timedelta(microseconds=timestamp)

    date_time = datetime.datetime(1601,1,1) + time1

    date_time=date_time+datetime.timedelta(minutes=330)

    return date_time.strftime('%d %b %Y %I:%M:%S%p')

 

header = struct.unpack("<Q",data[0:8])

print(header[0]) #Header  (8 Bytes)

filesize = struct.unpack("<Q",data[8:16])

print(filesize[0]) #File size     (8 Bytes)

 deletion_time = struct.unpack("<Q",data[16:24])

# Time (8-Bytes)

#print(deletion_time)

print("File Deletion Date And Time= ",FromFileTime(deletion_time[0]))

name_length = struct.unpack("<L",data[24:28])

print(name_length[0]) # Filename Length or Length of the Filename  (4 Bytes)

 filename = data[28:28+2*name_length[0]].decode('utf-16')

print(filename) # Filename. The size is variable



So now we recovered the file both the Actual contents and the Meta data of the file.

Hence these were few simple steps that can be used to recover the deleted files from a $Recycle.Bin.

We hope that this blog post might be very useful to you. 


Contributors:

1. Mr. Aman Pandey, B.Tech. CSE 6th Semester, OP Jindal University Raigarh, CG, India
2. Dr. Nitesh K Bharadwaj, Assistant Professor, Deptt. of CSE, OP Jindal University, Raigarh, CG, India.
3. Dr. Bhupendra Singh, Assistant Professor, Deptt. of CSE, IIIT Pune, Pune, MH, India



Comments

Post a Comment

Popular posts from this blog

Analysis of Volatile Memory(RAM) Using Volatility3

Image
  Introduction: Volatility3 is the most advanced and newest volatile memory forensics framework in the world. It is also Open Source, this framework is written in python. It is also the most widely used framework for extracting digital artefacts from volatile memory i.e. RAM image. The framework is intended to introduce people to the techniques for extracting digital artefacts from volatile memory(RAM) samples and provide a platform for further work into this exciting area of research. Downloading and Installation: Requirements: Python 3.5.3 or higher Pefile 2017.8.1 or later. Download volatility from   here  or run the following command in command line to clone the repository. git clone https://github.com/volatilityfoundation/volatility3.git RAM Image Creation: To create a memory dump for analysis we can use DumpIt memory tool which can be downloaded from here . Also, we can use ftkimager to create a memory dump, which can be downloaded from  here . To create the image using ftkima
Read more

Usefulness of Epoch in Digital Forensics Investigation (UNIX and MacOS perspective)

Image
 Usefulness of Epoch in Digital Forensics Investigation  (UNIX and MacOS perspective)  In digital forensics investigation, epoch plays an important role in event reconstruction. Hence, we try to provide detailed insight into the UNIX and MAC OS epoch values. An epoch is a date and time that a computer uses to determine the computer's clock and timestamp values. Epoch is sometimes also referred to as epoch time, POSIX time, and Unix time. In simple words, it is the starting point of the operating system that determines a computer’s date and time by counting ticks (seconds/ nanoseconds/picoseconds). Epochs can persist into the file metadata, system files, log files, and other metadata files. The value of epoch varies from operating system (OS) to OS and file system to file system.   The epoch traditionally corresponds to 0 hours, 0 minutes, and 0 seconds Coordinated Universal Time (UTC) on a specific date, which varies from system to system, as the starting date of each system i
Read more