Hack your Recycle Bin

Have you ever thought of what happens when you hit the delete button?

Delete: When we simply delete a file we are throwing that file in the recycle bin of that particular volume. For example, if file resides in C:\ drive having FAT32 as file system and we delete a file of C:\ drive then that file will move to C:\Recycled. But if it is an NTFS volume then the file will move to \Recycler\.

Shift+Delete: When we hit Shift+Delete the file will not move to Recycled or Recycler. Instead it will by pass these two folders and will simply be deleted. In such scenarios the user does not have an option to restore a file from these two folders.

However forensics tells us the files are NOT actually deleted. The deleted files still exist on the hard disk but the pointer pointing to that file is deleted. The pointer information is stored by the INFO2 record which cannot be seen by a normal user. To view the INFO2 file use ATTRIB -r -s -h info2. We can also use a third party tool like for rifiuti to see whats written in the INFO2 file. Italian dictionary says rifiuti means trash. Tons of thanks to Keith Jones for developing this wonderful tool. Rifuti can be downloaded from here

In Encase one can use Enscripts to find information from INFO2 records. For local machine he can run “Scan local machine” enscript (Encase5) with Recycle Bin Info Record finder module selected. If a user is working on some image then he can simply run “Sweep Case” enscript with Recycle Bin Info Record finder module selected. All the information collected by Encase will be located in the bookmark tab.
All forensic investigators should definitely look for INFO2 record to gather crucial information. There is a good chance of the INFO2 record solving the case, ridding the investigator of further toil.

Happy Blogging.

2 comments:

touchaddict said...

nice post :) didn't know about this hack earlier

Appu said...

What about Vista? I guess for Vista the folder is Recycle.bin
but i was unable to run rifuiti in vista INFO2 not found.. can you help? :)