- Recycle bin windows 10 64 Bit#
- Recycle bin windows 10 windows 10#
- Recycle bin windows 10 windows 8.1#
- Recycle bin windows 10 windows 8#
Rifiuti2 for example will not work with the Windows 10 recycling files, and Encase does not parse the data correctly. Deleted TimestampĪlthough the changes are minor, they are significant for tools that rely on the first offset for analyzing the recycling bin. Below is a table which lists the values of Offset 24 for each $I file. Not all values were strictly contiguous though so there should be more research into what this offset does exactly. When analyzing we discovered a pattern that seemed to indicate that Offset 24 is incremental in the order that the files were deleted. Windows 8.1įile path begins at offset 28Offset 24 is 4 bytes of unknown charactersįile path size is dependent upon file path lengthĪfter further investigation, the team worked on identifying the purpose of Offset 24.
Recycle bin windows 10 windows 8#
It appears that the end of this file is marked by three bytes of contiguous zeros.ĭifferences between Windows 8 and 10 are detailed in the table below minor changes are found in Offsets 0, 24 and 28. There is then an unknown 4 byte value at offset 24 which will be analyzed further below.įinally, the rest of the file is no longer 520 bytes and is instead based off the file name as seen below. There is then the 8 bytes related to the file size, followed by the deleted time which matches the data generation sheet. As you can see, the first offset of the value is 8 bytes long, but it starts with a value of 02. The hex is parsed and converted according to the table as well.īelow is a screenshot of a $I file in Windows 10 in FTK Imager. As you can see, the offsets match up with the table shown above.
Recycle bin windows 10 windows 8.1#
Windows 8.1īelow are screenshots of a $I file in Windows 8.1 on FTK Imager. In Windows 10, the contents are still split into these $I and $R files but the organization of the $I files are slightly different.
Recycle bin windows 10 64 Bit#
The $I file is formatted in the following manner in Windows 8.1: Windows 8.1 $I Recycle Bin Formatĭeleted Time (In 64 bit Windows timestamp format) The $R file contains the deleted file itself. The $I format contains metadata including the File Size, Deleted time and the File Path A screen shot is shown below in FTK Imager
Both end in the same 6 random characters and the original extension. One file starts with the file name of $I and one that starts with $R. Since Windows 7, Recycle bin artifacts for each user are found in the following location:įor each file that is deleted, one pair of files are placed in the recycle bin. The following data gen tasks were run on March 2, 2015: User ActionĬreate Cloud Doc1.docx in Onedrive\DocumentsĬreate Cloud Pres1.pptx in Onedrive\DocumentsĬreate folder “Deleted Folder” in DocumentsĬreate “Folder Doc 1.docx” in Deleted folderĬreate “Folder Pres1.pptx” in Deleted folderĭelete “Cloud Doc1.docx” & “Cloud Pres1.docx” in OneDrive\Documents Both VMs are logged in to two separate Microsoft accounts, and are on the latest Windows updates as of March 2 nd, 2015. As a result, we will focus on analyzing the recycling bin in Windows 10 for the first blog post.įor this analysis we took two near identical VMs running Windows 8.1 and Windows 10, and generated data for the recycle bin. When crimes are committed on computers, one of the first locations to check for evidence is almost always in the Recycle Bin. One of the most fundamental forensic artifacts in an investigation is the recycle bin. By Alex Parsons & Zachary Reichert Introduction
0 kommentar(er)
