Comments on: Recycle Bin Forensics

By: phone

phone — Wed, 07 May 2008 13:10:06 +0000

Hi Kush,
How do i open this INFO2 file in FTK??I can see easily but .unable to open of its databse!!

By: Kush Wadhwa

Kush Wadhwa — Wed, 30 May 2007 08:52:31 +0000

Hi Liou

Good question from your end. You can definitely decrypt those file but for that you have to use professional forensic tool like Encase or FTK. These tool have the capability to decrypt the INFO2 records. Hope these tools will help solving the problem you are facing.

By: Liou Liu

Liou Liu — Tue, 29 May 2007 03:34:00 +0000

I downloaded and installed a Cygwin. The recycler folder is listed on the root of c disk. The rifiuti.exe is also installed on the root of c disk. Then I run
rifiuti.exe recycle/S-1-5-21-……/INFO2, just list the SIZE, DATE. But no value. I checked my folder. I did not choose the encryption. Can you help me? Thanks.

By: Liou Liu

Liou Liu — Tue, 29 May 2007 03:14:31 +0000

If the INFO2 is encrypted NTFS, do you know how to decrypte it and read it? Thanks.

By: Kush

Kush — Wed, 23 May 2007 10:53:23 +0000

Hi John, In FAT32 file system, while using rifiuti you have to mention the full path of INFO2 file. Let me explain this with example. Let's suppose your INFO2 file is in C:\Recycled. Then you will execute the command as attrib -s -h -r c:\Recycled\INFO2. See Figure 1 below When you use rifiuti c:\Recycled it will not show you the file and also no error will pop up. But if you use C:\Recycled\INFO2, then you will get the stuff which you are looking for. See Figure 2 below Coming to NTFS. IF file encryption has been applied to NTFS drive, then you will not get the result even if you have the INFO2 file. But if the encryption is not there on NTFS drive then you will get the full info which you are looking for. See below You can see that there is INFO2 file in D:\Recycler\S-1-5-18 but no information is available because it is encrypted NTFS. But in E:\Recycler\S-1-5-21-861567501-776561741-1801674531-1003\ the information of deleted file is available because its not encrypted file. Hope that helped!

By: John Logan

John Logan — Mon, 21 May 2007 16:09:24 +0000

I tried the attrib command you listed above and the “rifiuti” program, however neither of them worked on my XP (SP2) system. The attrib program said the file was not found and the rifiuti program would not accept info2 as a valid filename. The rifiuti program, when used with the full path of the user SID (recycle bin) provides the fields INDEX, DELETED TIME, DRIVE NUMBER, PATH, SIZE, but no actual file data (even though there are deleted files in the bin)