Bruce recently had a need to parse out some deleted files that were in the recycle bin of a Windows 7 image, but the corresponding $R files were gone. He restored several of the shadow volume instances and found several of the $I files, but the $R files were not present. He needed a way to parse just the $I index files and build a report.
Bruce ended up writing a simple EnScript to parse selected $I files in the recycle bin of a Vista/7 image. He sent me the EnScript to post as a learning process for others.
/*
Windows 7 Recycle Bin Report (Version: 1.0)
Select $I files found in the Windows 7 $Recycle.Bin folder that you want decoded
Enscript will create a tab-delimited file in the case export folder
Created by: Bruce W. Pixley, CISSP, EnCE
Date: 12/1/2010
*/
You can read the comments inside the EnScript for specific details of how he is parsing the data.
You can download a copy of the EnScript here
Hi Lance
ReplyDeleteSome years ago I had the privilege of attending an Internet and Email class in Pasadena which Bruce taught on his own.
It was probably the best taught class I have ever attended and I agree with your sentiments about Bruce wholeheartedly
Guidance lost a good instructor when they let him leave to go to another job
Gary Probert
Gwent Police UK
Beware the script above uses a variable of type int to store the deleted file size. If it's a large file, the script will display inaccurate values.
ReplyDeleteLT, thanks for info. Do you have a suggestion on how would you fix it?
ReplyDeleteWe are now experiencing anomolies with it reporting incorrect deleted time. Confirmed by manually decoding the bytes containing the date/time. Any update expected to come?
ReplyDeleteI have updated the EnScript. Just download the update from the original link above.
ReplyDeleteI am getting an error when using this Enscript in Encase 7. The error indicates that EntryRoot is not a member of CaseClass.
ReplyDelete@AxisForensics - This is an EnCase v6 EnScript.
ReplyDelete