Wednesday, December 1, 2010

Windows 7 Recycle Bin EnScript

I recently received an email from a friend who I had worked closely with years ago and who I have always considered to be a mentor. Everyday we worked together he would challenge me and make me think about various forensic procedures and come up with innovative solutions. His name is Bruce Pixley and I miss working with him.

Bruce recently had a need to parse out some deleted files that were in the recycle bin of a Windows 7 image, but the corresponding $R files were gone. He restored several of the shadow volume instances and found several of the $I files, but the $R files were not present. He needed a way to parse just the $I index files and build a report.

Bruce ended up writing a simple EnScript to parse selected $I files in the recycle bin of a Vista/7 image. He sent me the EnScript to post as a learning process for others.

/*
Windows 7 Recycle Bin Report (Version: 1.0)
Select $I files found in the Windows 7 $Recycle.Bin folder that you want decoded
Enscript will create a tab-delimited file in the case export folder
Created by: Bruce W. Pixley, CISSP, EnCE
Date: 12/1/2010
*/


You can read the comments inside the EnScript for specific details of how he is parsing the data.

You can download a copy of the EnScript here


Posted by Lance Mueller at Wednesday, December 01, 2010
ShareThis

Labels:

7 comments:

Anonymous Friday, 03 December, 2010  

Hi Lance

Some years ago I had the privilege of attending an Internet and Email class in Pasadena which Bruce taught on his own.

It was probably the best taught class I have ever attended and I agree with your sentiments about Bruce wholeheartedly

Guidance lost a good instructor when they let him leave to go to another job

Gary Probert
Gwent Police UK

LT Kiley Wednesday, 26 February, 2014  

Beware the script above uses a variable of type int to store the deleted file size. If it's a large file, the script will display inaccurate values.

Lance Mueller Wednesday, 26 February, 2014  

LT, thanks for info. Do you have a suggestion on how would you fix it?

Unknown Tuesday, 06 May, 2014  

We are now experiencing anomolies with it reporting incorrect deleted time. Confirmed by manually decoding the bytes containing the date/time. Any update expected to come?

Lance Mueller Tuesday, 06 May, 2014  

I have updated the EnScript. Just download the update from the original link above.

AxisForensics Thursday, 07 May, 2015  

I am getting an error when using this Enscript in Encase 7. The error indicates that EntryRoot is not a member of CaseClass.

Lance Mueller Thursday, 07 May, 2015  

@AxisForensics - This is an EnCase v6 EnScript.

Post a Comment

Post a Comment

Subscribe to: Post Comments (Atom)

Computer Forensics, Malware Analysis & Digital Investigations

Loading...

Random Articles