lowmanio.co.uk title image

Windows 7 Recycle Bin Forensics

Fri, 13 May 2011 12:33PM

Category: Digital Forensics & Malware

Written by Sarah | No comments

When you look at your recycle bin folder, Windows shows you all the files you’ve deleted in a user friendly format – i.e. the name of the file you originally deleted and when it was deleted. The operating system does quite a bit of work for you, as the actual files within your recycle bin are not quite as user friendly. The recycle bin in Windows 7 is located at:

C:\$RECYCLE.BIN\

In here there is a folder for every user on the machine named the user’s SID. Mine, for example, is:

C:\$RECYCLE.BIN\S-1-5-21-1403593730-568349637-849237437-1000

(You can easily find your SID if you type regedit in the command line, and browse to HKEY_USERS). When you have a look at your recycle bin in the command line, you’ll see a very different picture:


Screenshot 1: Actual files in the recycle bin

When a file is moved to the recycle bin, Windows 7 renames it $R<6 letter random string>. Metadata about the original file is named $I<same 6 letter random string>. The files starting in $I contain:

  • Bytes 0 to 7: A file header, always 0100000000000000
  • Bytes 8-15: the file size in little endian
  • Bytes 16-23: the deleted timestamp in Windows timestamp format (number of seconds since Jan 1st 1601) in little endian
  • Bytes 24-543: the original file path

You’ll notice the $I files are all exactly 544 bytes long. These files are not in a nice readable format, but I made a Python script to do the work for you. If you’re on a Windows 7 machine, you just need to run the script from anywhere, and it will produce a csv file of all the files and related metadata for each user’s recycle bin. The script is easily modifiable if the recycle bin folder has been copied out of EnCase or similar. The code is available here: win7RecycleBin.py. View all my scripts here

Here's a snippet of the code showing how I convert little endian Hex code to integers. I'm sure there's a shorter, neater way of doing it, but this works nicely :)

def convert_little_endian(num_bytes, f):
	""" num_bytes is the number of bytes to read 
	from the open file f that are in little endian format. 
	Returns the result as a decimal number. """
	
	bytes = []
	for i in xrange(0,num_bytes):
		bytes.append(f.read(1).encode("hex"))
	bytes.reverse()
	return int("".join([hex for hex in bytes]),16) 

References: http://dereknewton.com/2010/06/recycle-bin-forensics-in-windows-7-and-vista/

Comments

No comments.

Add a comment

captcha