Windows 7 Recycle Bin EnScript
I recently received an email from a friend who I had worked closely with years ago and who I have always considered to be a mentor. Everyday we worked together he would challenge me and make me think about various forensic procedures and come up with innovative solutions. His name is Bruce Pixley and I miss working with him.
Bruce recently had a need to parse out some deleted files that were in the recycle bin of a Windows 7 image, but the corresponding $R files were gone. He restored several of the shadow volume instances and found several of the $I files, but the $R files were not present. He needed a way to parse just the $I index files and build a report.
Bruce ended up writing a simple EnScript to parse selected $I files in the recycle bin of a Vista/7 image. He sent me the EnScript to post as a learning process for others.
/*
Windows 7 Recycle Bin Report (Version: 1.0)
Select $I files found in the Windows 7 $Recycle.Bin folder that you want decoded
Enscript will create a tab-delimited file in the case export folder
Created by: Bruce W. Pixley, CISSP, EnCE
Date: 12/1/2010
*/
ShareThis
Posts
1 comments:
Hi Lance
Some years ago I had the privilege of attending an Internet and Email class in Pasadena which Bruce taught on his own.
It was probably the best taught class I have ever attended and I agree with your sentiments about Bruce wholeheartedly
Guidance lost a good instructor when they let him leave to go to another job
Gary Probert
Gwent Police UK
Post a Comment