Forensics: Examing the Recycle Bin in Windows Vista

The attached article covers the examination of the recyble in Vista, which has changed significnatly since Windows XP.

Extracts from the article are below, however the PDF contains the screen shots and more details.:

Examing the Recycle Bin in Windows Vista

For those examining Vista, forensically, there are many changes and new areas to learn.  One area is the Recycle Bin. For over a decade Windows systems have had a recycle bin, with an INFO2 file. This was well known and understood. This has all changed with Vista.

The recycle bin is still there but the INFO2 file is not. Windows Vista still keeps track of the deleted files, just not with the INFO2 file.

In Windows Vista the following information is recorded for files in the recycle bin:

  • Name of file deleted
  • Full path of file deleted
  • Size of file deleted
  • Date of File Deletion

This information is stored within the Recycle Bin, as with previous Windows systems however in Vista each deleted file has a corresponding file storing the relevant information called an $I file, rather that it all being combined into the INFO2 file.

The $I Files

When a file is manually deleted it is automatically placed into the recycle bin and two things happen.

1)      The deleted file is renamed. The file extension stays the same but the file is given a new name starting $R.

2)      A new file called $I with the same name as the newly deleted file is created. This contain information about the file that was deleted

Example: If Test1.DOC is deleted it is moved into the recycle bin and could be renamed something like $R4ED22. At the same time the $I file is created and would be called $I4ED22. The $R file is the same file as the original file and can be opened and viewed as before. The $I file contains information about the file that was deleted, names, date, time, original file path and file size

Contents of the $I File

The $I file stores the following information:

  • Name of file deleted
  • Full path of file deleted
  • Size of file deleted
  • Date of File Deletion

The information is stored within the $I file as follows:

1)      The first 8 bytes, for 8 bytes, is the $I header.

2)      The second 8 bytes, for 8 bytes, is size of the file in bytes.

3)      The third set of 8 bytes, for 8 bytes, stores the date the file was deleted, in Windows date/time format.

4)      After the header, the file size, and the date (24 bytes into the file) is the full path and file name of the original file, before it was deleted.

Decoding the $I Files

1)      The $I file header, starting 01 for 8 bytes.

2)      The second set of 8 bytes (file offset 8 for 8 ) is the size of the file.

3)      The third octet (file offset 16 for 8 ) is the date and time the file was deleted. This date/time is stored in the standard windows date/time format, of 8 bytes long. Simply bookmarking this 8 byte date in EnCase will show the date the file was deleted.

4)      The final set of information, within the $I file is the full path and file name.  This is from file offset 24 and runs for the length of the path and file name.

Advertisements

One Response to “Forensics: Examing the Recycle Bin in Windows Vista”

  1. Forensics: When was a File Deleted? Part 1 « Data – Where is it? Says:

    […] the recycle bin. This information is recorded via the INFO2 file in Windows 9x, 2000 and XP. In Vista the information is recorded, but it’s in a slightly different […]


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: