The original blog post for this can be found at the Patrick Leahy Center for Digital Investigation blog, but this is a slightly edited version.
We still find the $Recycle.Bin, $R, and $I files. Here's a breakdown of my methodology.
- Created “I wonder if this will appear“ at 10:14
Deleted “I wonder if this will appear“ at 10:14
- Created “test document.txt“ at 10:22
Deleted “test document.txt“ at 10:23
- Created “lets try this” at 10:40 – filled it with text, 36.5 mb
Deleted “lets try this“ at 10:40
Recycle Bin in EnCase still has $Recycle.Bin and $I files. The actual $R notation can be found when looking at simply the user ID under the recycle bin, but since the $R file is the file data itself, it is represented by the file name in the recycle bin.
Located and verified times of “test document”, “lets try this”, and “I wonder if this will appear” to be accurate to what I recorded when creating/deleting originally.
Verified hex values for $I files in comparison to known Windows 7 values.
Bytes 0-7 are still the file header, always 01 followed by seven sets of 00.
Bytes 8-15 are the original file size, stored in hex, in little-endian. This can be converted into big endian format and converted with a hex calculator to a decimal notation to determine the size in bytes. I tested this with the “Lets try this” document that was 36.5mb. The hex value in encase was F0 E2 39 02, read in little endian. Converting this into big endian yields 02 39 E2 F0, which ran through a hex calculator shows that it is 37348080 bytes, which is roughly 36.5mb
Bytes 16-23 reflect the deleted date time stamp, represented per normal standards (number of seconds since Midnight, January 1, 1601).
No comments:
Post a Comment