RECYCLED_I

PURPOSE   OPERATION   OPTIONS   COMMAND LINES   RELATED PROGRAMS


Author: Dan Mares, info @ maresware . com or dan.mares @ norcrossgroup . com
Portions Copyright 2000-2014 by Mares and Company, LLC
Phone: (770)770-242-6687 X119
Last update: Feb 14, 2012

PURPOSE

Under Vista and newer Microsoft operating systems, the recycled bin has taken on a slightly different approach. The INFO2 and other similar reference files are no longer available. Instead it appears that there are two sets of files taking its place.

Research has indicated that when a file is moved to the recycle bin it gets its name changed by replacing the name with a $R followed by a random set of characters/digits, and then the appropriate extention. So myfile.doc might be replaced with $RABCDEF.doc. This appears to be the original deleted file.

Then a second reference file of about 544 characters is created beginning with a $I and followed by the same random characters as the original changed filename. So for the file above, the $I file would be: $IABCDEF.doc. This file contains some metadata about the original file. Taking the place of the INFO2 information. The data contained is the filesize, date and time of removal (very nice for forensic purposes), and the original filename (in UNICODE).

This setup of a second "reference" file for each deleted file is a nice touch. The RECYCLED_I program will scan the $I files, and produce a pipe delimeted (|) file containing the meta data within each $I file. This makes for an easy import into a spreadsheet or other analysis.

If the $R... files are also in the folder(s) searched, then the original file dates are added to additional columns at the end of each record. This allows you to import both the original name, deleted date, and the three original file time/dates into a spreadsheet. If the $R... file is not there, then the original filedate/time fields are blank.


OPERATION

First thing the user must do is to export or copy the $I files from the VISTA $Recycled bin to a location where they can be processed.

If you are using a forensic tool, such as X-WAYS or FTK, or any other, the recover/copy of the $I files should be an easy task. If you are on a live system, just copy the $I files using UPCOPY or some other forensic copy functionality.

Copy the files to a safe location for processing, then point the RECYCLEd_I program to the path (via the -p option) where these files now reside. And tell it via the -f (files) option which files to process. It will almost always be the -f $I*.* format.

RECYCLED_I then traverses the -p path pointed to, and finds the $I*.* files and processes them one at a time, extracting out the original filesize, date / time of deletion, and the original full path of the deleted file. It puts the data to the screen in a pipe (|) delimeted format. To get the data to a file, simple use command line redirection. (If you don't know what that is, you probably shouldn't be doing computer forensics).

Take the resulting file, and import to a spreadsheet, or reprocess as you see fit.


OPTIONS

Currently there are only two acceptable and required options.

-p path:    Include the path to the folder where the $I files are being held.

-f filetype:    This is the filetype (usually $I*.*) that you want the program to process. This filetype option, makes sure that only the $I files are processed, just in case other files are in the folder pointed to. Make sure all the $I files are of the correct format. No check is made to see that the files are of the correct content or format.


COMMAND LINES

The most practical command line is:

c:>recycled_i -p path_to_the_$I_files -f $I*.*

or if you want the output to a file:

c:>recycled_i -p path_to_the_$I_files -f $I*.* > outputfile.txt
c:>recycled_i -p path_to_the_$I_files -f $I*.* >> outputfile.txt


Download: RECYCLED_I.EXE   when asked: use your e-mail address as the password.
Feedback is appreciated. dm at dmares dot com