search

sepinf-inc / IPED

IPED Digital Forensic Tool. It is an open source software that can be used to process and analyze digital evidence, often seized at crime scenes by law enforcement or in a corporate investigation by private examiners.
Other
884 stars 209 forks source link

Improved Handling of Recycle Bin Files #2127

Open clementepaixao opened 3 months ago

clementepaixao commented 3 months ago

I have a case with multiple files of interest in the Windows Recycle Bin that can be identified by their original name. To search for them, I had to manually look for the $I of each file and check its content.

IPED marks these files as active (places them in the Recycle Bin category) and only identifies the files with the names $RXXXXXX (content) and $IXXXXXX (metadata, including the original name).

In the file system these files are active, but for the user they are deleted, which can lead to misinterpretation. Perhaps their deleted flag should be turned on.

Suggestions:

  1. Use the original file name (instead of $RXXXXXX) and have a property indicating that it was in the Recycle Bin and that the names in the file system are $RXXXXXX and $IXXXXXXX;
  2. Add the original name as metadata of the $RXXXXXX files.

I prefer the first suggestion but the second one looks simpler and would solve most cases.

lfcnassif commented 3 months ago

Thanks @clementepaixao for the suggestion. At first I prefer the second option, to avoid hiding the real file system information. But the application already does much more complex transformations on some kinds of data and it would be more user friendly to non tech users.

Not changing the FS info would be aligned to a future Metadata refactoring, proposed on #1195, where FS info would be prefixed with a fs: prefix. But it is a backwards incompatible change, possibly for iped 5.0, which is currently not scheduled to the near future.

lfcnassif commented 3 months ago

Opinions from other DEVs about which approach would be better?

wladimirleite commented 3 months ago

I prefer the second option.

lfcnassif commented 3 months ago

@markmckinnon, one of Autopsy main developers, sent below suggestion to me privately and allowed me to share it here, thanks Mark!

"What we do is parse the recycle bin metadata and create a data artifact for it. We then add the file back into the Files system as a deleted file so that the investigator can also see the file where it was deleted from and what files are around it. I believe this gives the best information to the examiner"