Migden / Digital-Forensics

A repo designed for notes from the Digital Forensics Topic in TAFE Advanced Diploma
1 stars 0 forks source link

Recycle Bin Forensics.md #5

Open Migden opened 3 months ago

Migden commented 3 months ago

Recycle Bin Forensics


The recycle bin is a very popular artefact that stores deleted files. From the users side, the files are simply there. But from a forensic examiners perspective, the recycle bin can differentiate who deleted what and provide other information that helps to understand the user behaviour.

Forensics with Autopsy


Open Autopsy and create a new case, then import the file system image.

Navigate to the RECYCLER folder, in this folder multiple folders will be included, each contains files that unique users have deleted. The name of the folder is uniquely identified to the user, using a SID or Security Identifier. The SID can be broken down into computer, then user identifier.

The last section of the SID is the user identifier called a RID, individual RIDs can be found in the contents of the SAM file.

Enter the folder and select and export all files found. Then navigate to the command line and utilising the command rifiuti, which is an tool that examines INFO2 files (MS Windows recycle Bin files).

rifiuti ~/Desktop/Cases/FOR_LAB_009/Export/Lab9-1/INFO2 > ~/Desktop/Cases/FOR_LAB_009/Export/Lab9-1/INFO2.txt

From there we can now examine the file metadata for the files found in the recycle bin.