Introductie

Het komt steeds vaker voor dat de hulp wordt ingeroepen van digitaal forensisch onderzoekers. Onderzoek van pc's, netwerken, mobiele telefoons en aanverwante media vragen diepgaande kennis. Naast deze kennis zijn de tools voor het achterhalen van bepaalde gegevens en de interpretatie van gegevens zeer belangrijk. Deze blog zal proberen oplossingen aan te dragen voor hulp bij digitaal onderzoek. Verschillende tools passeren de revue, interessante artikelen worden verder uitgediept, links naar andere forensische sites en handleidingen ter ondersteuning komen aan bod.
ip information

woensdag 31 oktober 2007

The Recycle Bin

The Recycle Bin
Functionality is straightforward. It was developed as a way to throw things away without really losing them because they didn't really mean to throw it away.

Similar to regular file deletion, the OS makes the file invisible to the original directory but it won't zero out the cluster chain. It adds a directory entry to the Recycle Bin directory and renames the file. If you delete John.jpg, you'll now have a df000010.jpg in the trash can that is associated with the name John.jpg and the path f:/My Pictures/Yadda/Yadda/John.jpg.

From a forensics perspective, it is obvious that stuff gets into the trash can because the user put it there. On Windows Me/9x machines, the trash can is a community dump. All accounts on a machine share a single trash can. This is a big security problem because you can have something you don't want someone else to see and in the community trash can anybody with an account on the machine can get to it.

On later Windows boxes, you can tell which trash can is whose by looking in the SAM file.

INFO2 Structure
"Deleted" file path
"Deleted" file index number
"Deleted" file drive location
"Deleted" file date and time
"Deleted" file physical size

The recycle bin tracks only user deleted files. It does not track stuff that the OS deletes, such as temporary Internet files and deleting things with a shift-click.

The trash can doesn't hold stuff deleted from removable media or networks. The time stamps will be "machine active time bias" relative.

FAT vs. NTFS Recycle Bins

FAT: 280 byte INFO2 records and all users on the machine can access filesNTFS: 800 byte INFO2 records and the bin is user-specific based on SID.

The recycle bin has its own Master File Table record for deleted files. FTK is able to show that a file has been removed from the bin and all of the INFO2 data for removed files.

When an item is removed from the file, it's not possible to tell whether it was deleted from the bin or moved back out of the bin. Both actions have the same result as far as the Recycle Bin is concerned.

The date an item is moved into the recycle bin is a potentially powerful piece of evidence, and that informaiton is stored in the INFO2 data in the trash can.
Gepost door op

Geen opmerkingen:

Een reactie posten

Abonneren op: Reacties posten (Atom)

Real Time Visitors !