by Kush Wadhwa, NII Consulting
Have you ever thought of what happens when you hit the delete button?
Delete: When we simply delete a file we are throwing that file in the recycle bin of that particular volume. For example, if file resides in C: drive having FAT32 as file system and we delete a file of C: drive then that file will move to C:Recycled. But if it is an NTFS volume then the file will move to Recycler.
Shift+Delete: When we hit Shift+Delete the file will not move to Recycled or Recycler. Instead it will by pass these two folders and will simply be deleted. In such scenarios the user does not have an option to restore a file from these two folders.
However forensics tells us the files are NOT actually deleted. The deleted files still exist on the hard disk but the pointer pointing to that file is deleted. The pointer information is stored by the INFO2 record which cannot be seen by a normal user. To view the INFO2 file use ATTRIB -r -s -h info2. We can also use a third party tool like for rifiuti to see whats written in the INFO2 file. Italian dictionary says rifiuti means trash. Thanks to Keith J. Jones for developing this wonderful tool. Rifuti can be downloaded from here.
An index number is assigned to each file or folder that is sent to the Recycle Bin, and can be used to show the order of deletion. The highest number was the last file deleted. When the Recycle Bin is emptied and the system is restarted, the index numbering starts all over. A recovered INFO2 file that has index numbers starting at a number higher than 1 indicates that the user emptied the Recycle Bin previously during the same session. The first field shows this index number. We can also see the date and time when the file was deleted. File name with original path and size is also displayed with the help of this tool.
In Encase one can use Enscripts to find information from INFO2 records. For local machine he can run “Scan local machine” enscript (Encase5) with Recycle Bin Info Record finder module selected. If a user is working on some image then he can simply run “Sweep Case” enscript with Recycle Bin Info Record finder module selected. All the information collected by Encase will be located in the bookmark tab.
All forensic investigators should definitely look for INFO2 record to gather crucial information. There is a good chance of the INFO2 record solving the case, ridding the investigator of further toil.
John Logan
I tried the attrib command you listed above and the “rifiuti” program, however neither of them worked on my XP (SP2) system. The attrib program said the file was not found and the rifiuti program would not accept info2 as a valid filename. The rifiuti program, when used with the full path of the user SID (recycle bin) provides the fields INDEX, DELETED TIME, DRIVE NUMBER, PATH, SIZE, but no actual file data (even though there are deleted files in the bin)
Kush
Hi John,
In FAT32 file system, while using rifiuti you have to mention the full path of INFO2 file. Let me explain this with example. Let’s suppose your INFO2 file is in C:Recycled. Then you will execute the command as attrib -s -h -r c:RecycledINFO2. See Figure 1 below
When you use rifiuti c:Recycled it will not show you the file and also no error will pop up. But if you use C:RecycledINFO2, then you will get the stuff which you are looking for. See Figure 2 below
Coming to NTFS. IF file encryption has been applied to NTFS drive, then you will not get the result even if you have the INFO2 file. But if the encryption is not there on NTFS drive then you will get the full info which you are looking for. See below
You can see that there is INFO2 file in D:RecyclerS-1-5-18 but no information is available because it is encrypted NTFS. But in E:RecyclerS-1-5-21-861567501-776561741-1801674531-1003 the information of deleted file is available because its not encrypted file.
Hope that helped!
Liou Liu
If the INFO2 is encrypted NTFS, do you know how to decrypte it and read it? Thanks.
Liou Liu
I downloaded and installed a Cygwin. The recycler folder is listed on the root of c disk. The rifiuti.exe is also installed on the root of c disk. Then I run
rifiuti.exe recycle/S-1-5-21-……/INFO2, just list the SIZE, DATE. But no value. I checked my folder. I did not choose the encryption. Can you help me? Thanks.
Kush Wadhwa
Hi Liou
Good question from your end. You can definitely decrypt those file but for that you have to use professional forensic tool like Encase or FTK. These tool have the capability to decrypt the INFO2 records. Hope these tools will help solving the problem you are facing.
phone
Hi Kush,
How do i open this INFO2 file in FTK??I can see easily but .unable to open of its databse!!