Saturday, 4 August 2018

Windows folder deletion

It is pretty well known that when files are deleted in Windows Vista or later, two files are created in the Recycle Bin - the $I file and $R file. Most forensic tools are smart enough to piece the two files together to present the examiner with the original filename, original path, and deletion date. What happens when it is not a file but a folder that is deleted?

To test, I created a folder with 3 text files in it, then deleted the entire folder. The following shows the artefacts found in my Recycle Bin:

Ignore the .ORF and .JPG files for now. Note the matching $I and $R 'files' highlighted in red (the $R 'file' is actually a directory).
paladin@paladin:<redacted>$ ls -l
total 9
-rwxrwxrwx 1 root root  129 Nov 20  2017 desktop.ini
-rwxrwxrwx 1 root root  108 Jul  4 13:35 $I5SL57R.ORF
-rwxrwxrwx 1 root root  108 Jul  5 06:44 $I6O696O.ORF
-rwxrwxrwx 1 root root   66 Jul 27 06:09 $IBN1JFG
-rwxrwxrwx 1 root root  108 Jul  4 13:35 $IFXKF3C.JPG
-rwxrwxrwx 1 root root  108 Jul  4 13:35 $IJP866D.JPG
-rwxrwxrwx 1 root root  108 Jul  4 13:35 $IK0XWGY.ORF
-rwxrwxrwx 1 root root  108 Jul  4 13:34 $IRBWPPL.JPG
-rwxrwxrwx 1 root root  108 Jul  4 13:34 $IWMRGZO.ORF
drwxrwxrwx 1 root root 4096 Jul 27 06:03 $RBN1JFG

As expected, the $R 'file' contained the contents of the deleted folder, without the accompanying $I files.
paladin@paladin:<redacted>$ ls -l \$RBN1JFG
total 2
-rwxrwxrwx 2 root root 76 Jul 27 06:02 file_copy.txt
-rwxrwxrwx 2 root root 75 Jul 27 06:02 file_move.txt
-rwxrwxrwx 2 root root 70 Jul 27 06:01 file_orig.txt

Looking at the $I file, we can see the original path of the folder, as well as the deleted date of "D0 8D 9F 64 70 25 D4 01" which corresponds to 27 July 2018 06:09:35 UTC+0.
paladin@paladin:<redacted>$ hexdump -e '8/1 "%02X ""\t"" "' -e '8/1 "%c""\n"' \$IBN1JFG
02 00 00 00 00 00 00 00   
DD 00 00 00 00 00 00 00  �
D0 8D 9F 64 70 25 D4 01  Ѝ�dp%�asdasd
13 00 00 00 43 00 3A 00  C:
5C 00 54 00 65 00 6D 00  \Tem
70 00 5C 00 66 00 6F 00  p\fo
6C 00 64 00 65 00 72 00  lder
5F 00 64 00 65 00 6C 00  _del

The above short experiment explains why certain files in the Recycle Bin are not displayed with their corresponding deletion times in a certain tool, as the tool was not able to match the parent folder's deletion time to the files contained within.

Separately, the .ORF and .JPG $I files were files that I had previously deleted and restored. It would appear that Windows leaves the $I files in the Recycle Bin for restored files and only deletes them if the file in the Recycle Bin was deleted. However that bears more testing/research for another day.

*Update*
Read more on the testing of residual $I files by Phill Moore at ThinkDFIR and Yogesh Khatri.
at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Magnet Summit 2022 Virtual CTF - Windows

Magnet Forensics recently concluded their Virtual CTF for the Magnet Summit 2022.  Participants were provided with the following three image...