Hack your Recycle Bin

Have you ever thought of what happens when you hit the delete button?

Delete: When we simply delete a file we are throwing that file in the recycle bin of that particular volume. For example, if file resides in C:\ drive having FAT32 as file system and we delete a file of C:\ drive then that file will move to C:\Recycled. But if it is an NTFS volume then the file will move to \Recycler\.

Shift+Delete: When we hit Shift+Delete the file will not move to Recycled or Recycler. Instead it will by pass these two folders and will simply be deleted. In such scenarios the user does not have an option to restore a file from these two folders.

However forensics tells us the files are NOT actually deleted. The deleted files still exist on the hard disk but the pointer pointing to that file is deleted. The pointer information is stored by the INFO2 record which cannot be seen by a normal user. To view the INFO2 file use ATTRIB -r -s -h info2. We can also use a third party tool like for rifiuti to see whats written in the INFO2 file. Italian dictionary says rifiuti means trash. Tons of thanks to Keith Jones for developing this wonderful tool. Rifuti can be downloaded from here

In Encase one can use Enscripts to find information from INFO2 records. For local machine he can run “Scan local machine” enscript (Encase5) with Recycle Bin Info Record finder module selected. If a user is working on some image then he can simply run “Sweep Case” enscript with Recycle Bin Info Record finder module selected. All the information collected by Encase will be located in the bookmark tab.
All forensic investigators should definitely look for INFO2 record to gather crucial information. There is a good chance of the INFO2 record solving the case, ridding the investigator of further toil.

Happy Blogging.

Demystify “thumbs.db”

Are you working as a cyber crime investigator and looking for something which can prove in court of law that there was some pornographic content on the suspect’s machine? Let me help you out in this case.There is a file with a name “thumbs.db” which is automatically generated by Windows XP whenever user views the folder or image in thumbs view or in filmstrip view. Automatic generation of this file is ON by default. Thumbs.db contains a copy of each of the tiny preview images generated for image files in that folder so that they load up quickly the next time you browse that folder. If a user tries to view this file by any image viewer then it will be of no use. For extracting the juicy content from this file, forensic investigator has to understand the header of the thumbs file present in thumbs.db. Let me explain step by step on how to extract useful content from thumbs.db file.

Open any folder which has got some jpeg files and make that folder view in thumbs view as shown in

(Click the Image to Enlarge)

As soon as the folder is kept in thumbs view “thumbs.db” file is created. Even if all JPEG files are deleted and thumbs.db file corresponding to those JPEG files is present, then also you can see the images but they will be very small in size. Thumbs.db which was created is now viewed using winhex. Once the file has been opened in winhex view, we will search and select for particular header. Header is “ÿØÿà JFIF” and its hex values are “FFD8FFE000104A464946″. This is shown in an example :-

(Click the Image to Enlarge)

Copy the entire content in a notepad where the header is starting till the end of the file and save the file with the extension JPEG. You can now easily view the extracted content with any of the image viewer. If there are large number of headers in thumbs.db file, then you can use professional tool like “Windows File Analyzer” to see the contents of thumbs.db file.Even if the picture files are deleted, the information will be stored in thumbs.db file which can be very helpful. Hope this information is enough.

Happy Blogging.

Use Tasklist Smartly!

I was looking for a utility which allows me to remotely access running processes’ list of a suspect machine running Windows OS. I found this wonderful utility which allows to not only view the processses and their PIDs but also filter the processes according to the certain criteria such as username, memory usage, loaded modules, services, status of the services and even Windows title!

The MS description for this command says:

This command line tool displays a list of application(s) and associated task(s)/process(es) currently running on either a local or remote system.

Let me illustrate the power of this command with an example: Suppose, you, as an investigator want to see the processes running on a remote system while the suspect is on the system, you would run the following command (assuming you have the password for a valid user on the system)



The IP of the remote system:

The domain:Domain

The user being used to connect: Debarghya

The above command would enable the investigator to see all the running processes started by the user “Debarghya”. He would be able to see any “out of the ordinary” process being run by the user!

For further information about the filters and options supported, just type

c:\windows\system32>tasklist.exe /?

TASKLIST [/S system [/U username [/P [password]]]]
[/M [module] | /SVC | /V] [/FI filter] [/FO format] [/NH]

Happy experimentation!