Windows 7 Recycle Bin EnScript

I recently received an email from a friend who I had worked closely with years ago and who I have always considered to be a mentor. Everyday we worked together he would challenge me and make me think about various forensic procedures and come up with innovative solutions. His name is Bruce Pixley and I miss working with him.

Bruce recently had a need to parse out some deleted files that were in the recycle bin of a Windows 7 image, but the corresponding $R files were gone. He restored several of the shadow volume instances and found several of the $I files, but the $R files were not present. He needed a way to parse just the $I index files and build a report.

Bruce ended up writing a simple EnScript to parse selected $I files in the recycle bin of a Vista/7 image. He sent me the EnScript to post as a learning process for others.

/*
Windows 7 Recycle Bin Report (Version: 1.0)
Select $I files found in the Windows 7 $Recycle.Bin folder that you want decoded
Enscript will create a tab-delimited file in the case export folder
Created by: Bruce W. Pixley, CISSP, EnCE
Date: 12/1/2010
*/

You can read the comments inside the EnScript for specific details of how he is parsing the data.

You can download a copy of the EnScript here

Windows 7 Forensics - Part IV - Thumbcache_*.db

Windows 7 creates small thumbnail images of graphic files the same way previous version of Windows does, nothing new here. It stores the thumbnails in the same location as in Windows Vista:

C:\Users\%username%\AppData\Local\Microsoft\Windows\Explorer

There are files named Thumbcache_32.db, Thumbcache_96.db, Thumbcache_256.db & Thumbcache_1024.db which correspond to the thumbnails stored for that specific user account and size.

Currently, the latest release of EnCase (6.15.0.82) does *not* parse these files correctly. The structure has slightly changed and therefore if you try and view the contents of any of the "thumbcache" files, EnCase will mount them without error, but they will appear empty. You can however, use the File Finder module to carve JPG images out of the *.db files.

If anyone is using any other tools and can confirm they handle these new Windows 7 thumbcache files correctly, please post the name in the comments so everyone can benefit and have a tool until EnCase incorporates this support.

Forensic review of Windows 7 - Part II - File system

Windows 7 supports the same file systems that Windows Vista supports, i.e. FAT, NTFS & exFAT. Internally, Windows 7 uses the same underlying file system as Windows Vista, NTFS version 3.1. Windows 7 continues to utilize the transactional filesystem database, located in the \$Extend\$RmMetadata folder.

Windows 7 continues to not update the last accessed timestamp unless other timestamps (written) are triggered. This is a registry setting that has been available since Windows 2000, but not enabled by default until Vista.

The exFAT filesystem used in Windows 7 is the same as the version used in Windows Vista and is designed for removable drives. The latest version of EnCase supports the exFAT file system and will display the exFAT volume contents similiar to this example:

When formatting external drives and flash devices, Windows 7 will completely WIPE the contents of the volume UNLESS the "QUICK FORMAT" option is selected, regardless of whether NTFS, FAT or exFAT is used. When the "QUICK FORMAT" option is selected, the prior data remains in unallocated space of the newly created volume and can be carved.

Forensic review of Windows 7 - Part I

Over the next few weeks, I will be documenting and posting some basic information about Windows 7 from a forensic perspective. I know many of you may have already encountered a Windows 7 box or have been exploring it yourself. Please feel free to post comments with whatever little forensic nuggets you have found useful.

Initially looking at a Windows 7 image, it closely resembles a Windows Vista installation (no surprise there). There are a few small differences and changes which I will document with additional posts.

Starting off simple, here is a view of a clean Windows 7 install.

Take note there are two separate partitions. During a clean install where the disk does not contain any pre-existing partitions, the Windows 7 installation process creates two partitions, even though you specify one partition. The installation process warns you that an additional partition may be created and in fact a 100MB "hidden" partition is created. There is a little trickery you can do to avoid the 100MB partition, but it’s not intuitive and it is likely a typical user will not know how to avoid it from being created, so you are likely to see two separate partitions, one 100MB and the main partition which by default is the remainder of the physical disk. The second partition is important because it will likely skew any link files you review. EnCase assigns drive letters in chronological order as they are encountered in the partition table, so the hidden partition gets the "C" volume letter, but really it’s a hidden partition and does not get a letter assignment. The main partition gets a "D" assignment, but really it is "C". The contents of any shortcut files will point to "C", which in EnCase in "D".

If the disk has a partition scheme already defined (i.e. it has an older version of windows or it was partitioned prior to starting the installation) then it continues to just use the one defined partition or whatever partitions were defined prior to starting the installation process.

A view of the typical default folders. Looks very "Vista-ish"

A view of a user's profile:

Internet History folders:

For the most part, if you have done an exam on a Vista machine, you will feel right at home with a Windows 7 image and should have no problem finding the common locations for artifacts.