Recycle Bin Forensics in Windows 7 and Vista
Microsoft has significantly changed how files and their corresponding details are represented within the Recycle Bin in Windows 7 and Vista. In Windows XP, when files were placed into the Recycle Bin they were placed within a hidden directory named \Recycler\%SID% where %SID% is the SID of the user that performed the deletion. The files were renamed D%drive_letter%%index_number%.%file_extension% where %drive_letter% is the original drive letter of the file, %index_number% is an index number, and %file_extension% is the original file’s extension. Additionally, a file named INFO2 was placed in the user’s Recycler directory and it container entries, identified by index number, which described the original files size, full path/name, and size.
In Windows 7 and Vista, Microsoft did away with the INFO2 file and completely changed the way files were named and indexed within the Recycle Bin. Firstly, the new Recycle Bin is located in a hidden directory named \$Recycle.Bin\%SID%, where %SID% is the SID of the user that performed the deletion. Secondly, when files are moved into the Recycle Bin, the original file is renamed to $R followed by a set of random characters, but maintaining the original file extension. At the same time a new file beginning with $I followed by the same set of random characters given to the $R file and the same extension, is created; this file contains the the original filename/path, original file size, and the date and time that the file was moved to the Recycle Bin. You’ll also notice at all of the $I files are exactly 544 bytes long.
The behavior is a bit different when you move a directory to the Recycle Bin. The directory name itself is renamed to $R followed by a set of random characters, but the files/directories under that directory maintain their original names. A $I file is created just as when deleting an individual file that contains the original directory name, date/time deleted, and size. When utilizing the information contained in the $I file for forensic purposes, you can safely report that all files found under the $R directory structure within the Recycle Bin were deleted at the same time (and all at once). If a file was previously deleted out of the now deleted directory (but not yet removed from the Recycle Bin), it would have it’s own $R and $I files and not be grouped with the files that were deleted as part of the directory deletion action.
Unfortunately, unlike the INFO2 file, the new $I files are not in plain/readable text. In order to decode a $I files, you could use a forensic tool that has the ability to interpret these files (I belive that Encase and FTK can do this), or you can simply open the file up in a hex editor. The file is structured as follows:
- Bytes 0-7: $I File header – always set to 01 followed by seven sets of 00.
- Bytes 8-15: Original file size – stored in hex, in little-endian.
- Bytes 16-23: Deleted date/time stamp – represented in number of seconds since Midnight, January 1, 1601. Use a program such as Decode to assist with figuring out the exact date/time, if you don’t want to do the math .
- Bytes 24-543: Original file path/name.
So – break out your hex editors and take a look. The new Vista/Windows 7 Recycle Bin is just as easy to deal with as the XP one – in fact, when it comes to whole directory deletions, I personally find it easier to work with…sometimes change is a good thing!