Universal Extractor

Posted February 7th, 2007 by Nikhil Wagholikar

by Nikhil Wagholikar, NII Consulting

1. Need

Many a time during Forensics investigation or during Reverse Engineering, we come across the need where we have to check or extract the contents of an executable file. If the executable file is in human readable format (ex : a UNIX file having permissions –rwx-r-x-r-x) then the life of investigator is quite simple, since such kind of files could easily be opened in Unix built-in editors like “vi” or “emacs”, or even in MS Windows default editor “Notepad”. However this is not the case every time. The investigators or research persons could also come across various MS-Windows “.exe”, “.dll”, “.msi” files or RedHat Linux “.rpm” file, or very common “.zip”, “.rar”, “.bin”, “.cue” or “.uha” files during their course of action. Read the rest of this entry »

Recycle Bin Forensics

Posted February 5th, 2007 by Kush

by Kush Wadhwa, NII Consulting

Have you ever thought of what happens when you hit the delete button?

Delete: When we simply delete a file we are throwing that file in the recycle bin of that particular volume. For example, if file resides in C:\ drive having FAT32 as file system and we delete a file of C:\ drive then that file will move to C:\Recycled. But if it is an NTFS volume then the file will move to \Recycler\.

Shift+Delete: When we hit Shift+Delete the file will not move to Recycled or Recycler. Instead it will by pass these two folders and will simply be deleted. In such scenarios the user does not have an option to restore a file from these two folders. Read the rest of this entry »