Bug: No recycle bins found when using dissect-3.13

[Fierry137]

While testing with a couple of SANS FOR508 images I tried extracting the Recycle Bin for pertinent information.

The following output was generated by the latest version of Dissect:

target-query -f recyclebin base-rd-04-cdrive.E01                                                                                                                     
2024-04-04T20:16:52.384059Z [warning  ] <Target base-rd-04-cdrive.E01>: Can't identify volume system or no volumes found, adding as raw volume instead: <EwfContainer size=33833353216 vs=None> [dissect.target.target]
2024-04-04T20:16:53.086868Z [error    ] <Target base-rd-04-cdrive.E01>: Unsupported plugin for recyclebin: No recycle bins found [dissect.target.target

pip listing is included below:

dissect            3.13
dissect.btrfs      1.2
dissect.cim        3.8
dissect.clfs       1.7
dissect.cstruct    3.13
dissect.esedb      3.12
dissect.etl        3.8
dissect.eventlog   3.7
dissect.evidence   3.8
dissect.executable 1.5
dissect.extfs      3.9
dissect.fat        3.8
dissect.ffs        3.7
dissect.hypervisor 3.12
dissect.jffs       1.1
dissect.ntfs       3.9
dissect.ole        3.7
dissect.regf       3.9
dissect.shellitem  3.7
dissect.sql        3.8
dissect.squashfs   1.4
dissect.target     3.16
dissect.thumbcache 1.7
dissect.util       3.15
dissect.vmfs       3.7
dissect.volume     3.9
dissect.xfs        3.8

Meanwhile Dissect v3.12 is able to parse it correctly:

target-query -f recyclebin base-rd-04-cdrive.E01 | rdump -j                                                                                 
[reading from stdin]
2024-04-04T20:17:31.657165Z [warning  ] <Target base-rd-04-cdrive.E01>: Can't identify volume system or no volumes found, adding as raw volume instead: <EwfContainer size=33833353216 vs=None> [dissect.target.target]
{
  "hostname": "BASE-RD-04",
  "domain": "shieldbase.lan",
  "ts": "2018-08-28T21:38:03.028999+00:00",
  "path": "C:\\Users\\spsql\\Documents\\20180827\\PowerShell_transcript.BASE-RD-04.UQlzsLK+.20180827162849.txt",
  "filesize": 13617,
  "deleted_path": "c:\\$recycle.bin\\S-1-5-21-3445421715-2530590580-3149308974-1193\\$I276F68.txt",
  "source": "c:/$recycle.bin/S-1-5-21-3445421715-2530590580-3149308974-1193/$I276F68.txt",
  "username": "spsql",
  "user_id": "S-1-5-21-3445421715-2530590580-3149308974-1193",
  "user_group": null,
  "user_home": "C:\\Users\\spsql",
  "_source": "base-rd-04-cdrive.E01",
  "_classification": null,
  "_generated": "2024-04-04T20:17:32.770927+00:00",
  "_version": 1
}

pip listing for this version is also included below:

dissect            3.12
dissect.btrfs      1.1
dissect.cim        3.7
dissect.clfs       1.6
dissect.cstruct    3.12
dissect.esedb      3.11
dissect.etl        3.7
dissect.eventlog   3.6
dissect.evidence   3.7
dissect.executable 1.4
dissect.extfs      3.8
dissect.fat        3.7
dissect.ffs        3.6
dissect.hypervisor 3.11
dissect.jffs       1.0
dissect.ntfs       3.8
dissect.ole        3.6
dissect.regf       3.8
dissect.shellitem  3.6
dissect.sql        3.7
dissect.squashfs   1.3
dissect.target     3.15
dissect.thumbcache 1.6
dissect.util       3.14
dissect.vmfs       3.6
dissect.volume     3.8
dissect.xfs        3.7

[Fierry137]

Did some more testing with target-mount in both versions:

Dissect 3.13 only exposes the sysvol-folder when navigating to the fs folder Dissect 3.12 exposes both the c: and sysvol folders

[Schamper]

Thanks for reporting this, we have someone internally who has done FOR508 recently, but unfortunately he doesn't have the same image, which makes debugging a bit more difficult.

I have a suspicion on what breaks, but would like to know a bit more about the image. The name suggests it's an image of just the C drive, can you confirm if that's the case? Meaning it doesn't have a partition table, but starts immediately with the NTFS header.

[Fierry137]

That does indeed seem to be the case:

base-rd04/mounting/disks# xxd disk_0 | head -n 20
00000000: eb52 904e 5446 5320 2020 2000 0208 0000  .R.NTFS    .....
00000010: 0000 0000 00f8 0000 3f00 ff00 00a8 0f00  ........?.......
00000020: 0000 0000 8000 8000 ff4f f003 0000 0000  .........O......
00000030: 0000 0c00 0000 0000 0200 0000 0000 0000  ................
00000040: f600 0000 0100 0000 c37c 4b42 854b 4282  .........|KB.KB.
00000050: 0000 0000 fa33 c08e d0bc 007c fb68 c007  .....3.....|.h..
00000060: 1f1e 6866 00cb 8816 0e00 6681 3e03 004e  ..hf......f.>..N
00000070: 5446 5375 15b4 41bb aa55 cd13 720c 81fb  TFSu..A..U..r...
00000080: 55aa 7506 f7c1 0100 7503 e9dd 001e 83ec  U.u.....u.......
00000090: 1868 1a00 b448 8a16 0e00 8bf4 161f cd13  .h...H..........
000000a0: 9f83 c418 9e58 1f72 e13b 060b 0075 dba3  .....X.r.;...u..
000000b0: 0f00 c12e 0f00 041e 5a33 dbb9 0020 2bc8  ........Z3... +.
000000c0: 66ff 0611 0003 160f 008e c2ff 0616 00e8  f...............
000000d0: 4b00 2bc8 77ef b800 bbcd 1a66 23c0 752d  K.+.w......f#.u-
000000e0: 6681 fb54 4350 4175 2481 f902 0172 1e16  f..TCPAu$....r..
000000f0: 6807 bb16 6852 1116 6809 0066 5366 5366  h...hR..h..fSfSf
00000100: 5516 1616 68b8 0166 610e 07cd 1a33 c0bf  U...h..fa....3..
00000110: 0a13 b9f6 0cfc f3aa e9fe 0190 9066 601e  .............f`.
00000120: 0666 a111 0066 0306 1c00 1e66 6800 0000  .f...f.....fh...
00000130: 0066 5006 5368 0100 6810 00b4 428a 160e  .fP.Sh..h...B...

The acquisition log is also included:

Created By AccessData® FTK® Imager 4.2.0.13 

Case Information: 
Acquired using: ADI4.2.0.13
Case Number: 20180905-001
Evidence Number:  
Unique description: base-rd-04 C-Drive
Examiner: Clint Barton
Notes: Acquired over network via F-Response

--------------------------------------------------------------

Information for D:\disk-images\base-rd-04\base-rd-04_c-drive:

Physical Evidentiary Item (Source) Information:
[Device Info]
 Source Type: Physical
[Drive Geometry]
 Cylinders: 4,113
 Tracks per Cylinder: 255
 Sectors per Track: 63
 Bytes per Sector: 512
 Sector Count: 66,080,768
[Physical Drive Information]
 Drive Model: f-switch 0FA2BEEA30DEC1FE SCSI Disk Device
 Drive Serial Number: vol-C
 Drive Interface Type: SCSI
 Removable drive: False
 Source data size: 32266 MB
 Sector count:    66080768
[Computed Hashes]
 MD5 checksum:    f0030ba5109c524a9fe2aa1144e6e7a9
 SHA1 checksum:   aa4e287d18f27ae8e9db947af088e06b0352f5fd

Image Information:
 Acquisition started:   Thu Sep  6 23:14:39 2018
 Acquisition finished:  Fri Sep  7 00:00:30 2018
 Segment list:
  D:\disk-images\base-rd-04\base-rd-04_c-drive.E01

Image Verification Results:
 Verification started:  Fri Sep  7 00:00:31 2018
 Verification finished: Fri Sep  7 00:16:55 2018
 MD5 checksum:    f0030ba5109c524a9fe2aa1144e6e7a9 : verified
 SHA1 checksum:   aa4e287d18f27ae8e9db947af088e06b0352f5fd : verified

[Schamper]

Thanks, that confirms my suspicion. I'll create some local test data to verify and will create a PR to fix it shortly!

[Schamper]

This has been automatically closed by #671, but it would be nice if you could verify on your end if this indeed fixed the problem.

[Fierry137]

Just confirmed that recyclebins works again with dissect v3.14

target-query -f recyclebin base-rd-04-cdrive.E01 |rdump -j
[reading from stdin]
2024-05-21T20:05:14.427934Z [warning  ] <Target base-rd-04-cdrive.E01>: Can't identify volume system or no volumes found, adding as raw volume instead: <EwfContainer size=33833353216 vs=None> [dissect.target.target]
{
  "hostname": "BASE-RD-04",
  "domain": "shieldbase.lan",
  "ts": "2018-08-28T21:38:03.028999+00:00",
  "path": "C:\\Users\\spsql\\Documents\\20180827\\PowerShell_transcript.BASE-RD-04.UQlzsLK+.20180827162849.txt",
  "filesize": 13617,
  "deleted_path": "c:\\$recycle.bin\\S-1-5-21-3445421715-2530590580-3149308974-1193\\$I276F68.txt",
  "source": "c:/$recycle.bin/S-1-5-21-3445421715-2530590580-3149308974-1193/$I276F68.txt",
  "username": "spsql",
  "user_id": "S-1-5-21-3445421715-2530590580-3149308974-1193",
  "user_group": null,
  "user_home": "C:\\Users\\spsql",
  "_source": "base-rd-04-cdrive.E01",
  "_classification": null,
  "_generated": "2024-05-21T20:05:14.588243+00:00",
  "_version": 1
}