OS and Application Files

BACS 371Computer Forensics

Software

Operating Systems Recycle Bin Temp Directory Backup Files Printer Spool Files Windows Registry Swapping/Paging

Applications Temporary Internet Files Temp Files Application Specific Files

Recycle Bin (pre-Vista) When you delete a file in Windows Explorer or My Computer, the file

appears in the Recycle Bin. The file remains in the Recycle Bin until you empty the Recycle Bin or restore the file.

Older files are also removed from the Recycle Bin when newer files are deleted and the Recycle Bin exceeds the maximum size allocated in Recycle Bin properties.

Each hard disk contains a hidden folder named Recycled. This folder contains files deleted in Windows Explorer or My Computer, or in Windows- based programs.

When you delete a file, the complete path and file name is stored in a hidden file on the computer. This file has different names and locations depending on the OS. It is called Info or Info2 in the Recycled folder. The deleted file is renamed, using the following syntax: D<original drive letter of file><#>.<original extension>

Examples: New File Name: Dc1.txt = (C drive, second file deleted, a .txt file) INFO file path: C:\Windows\Desktop\Books.txt New File Name: De7.doc = (E drive, eighth file deleted, a .doc file) INFO file path: E:\Winword\Letter to Rosemary.doc

Recycle Bin (Vista & Windows 7)1

In Windows 7 and Vista, Microsoft did away with the INFO2 file and completely changed the way files were named and indexed within the Recycle Bin. 

The new Recycle Bin is located in a hidden directory named \$Recycle.Bin\%SID%, where %SID% is the SID of the user that performed the deletion. 

When files are moved into the Recycle Bin, the original file is renamed to $R followed by a set of random characters, but maintaining the original file extension.  At the same time a new file beginning with $I followed by the same set of random characters given to the $R file and the same extension, is created; this file contains the original filename/path, original file size, and the date and time that the file was moved to the Recycle Bin. 

All of the $I files are exactly 544 bytes long.

Hidden Recycler Directory (pre-Vista)

INFO2 File

Hidden Recycler Directory (post-Vista)

Temp Directory

Backup

Search for BACKUP.LOG

Spool Files

Simultaneous Peripheral Operations On-Line

Temporary files used during input/output operations

Typically used to allow printers to run in the “background”

Typically deleted after print job is complete

May be Printer specific – check settings for Server Properties

WinXP Spool File Default

While Printing

After Printing

Windows Registry

A database which stores Hardware and software configuration information User preferences (incl user name and passwords) Setup information

Viewed with Regedit (www.microsoft.com/windows/reskits/default.asp)

Can be used to view Last person to log on Most recently accessed files Most recently accessed devices Application specific information

Internet sites accessed Recent files Chat rooms accessed …

WinXP Registry Hives

HKEY_CLASSES_ROOT HKEY_CURRENT_USER HKEY_LOCAL_MACHINE HKEY_USERS HKEY_CURRENT_CONFIGCreated from files located at \WINDOWS\System32\Config SAM SECURITY SOFTWARE SYSTEM

Registry Files

“In Use” “Backup”Win95

“Backup”Win98/Me

WinXP In C:\WINDOWS\

SYSTEM32\CONFIG\

System.DATUser.DAT

Sytem.DA0User.DA0

RB001.CABRB002.CABRB003.CABRB004.CABRB005.CAB

SystemSoftware SamSecurityDefault

REGEDIT /L: (system.dat) /R: (user.dat) /E outfile.txt

Windows XP RegistryFilename Location Contents

ntuser.dat \Documents and Settings\<user account>(One for each user on system)

Protected Storage Most Recently Used User Preferences

Default \Windows\system32\config System Settings

SAM \Windows\system32\config User account management and security settings

Security \Windows\system32\config Security Settings

Software \Windows\system32\config All installed programs, their settings, and any usernames and passwords associated with them

System \Windows\system32\config System Settings

WinXP Registry

\Windows\System32\Config Run…Regedit

Windows 7 Registry

Registry Entries

Most Recently Used (MRU) Listings

HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Common\Open Find

Registry – Uninstall Key

May show software installed currentlyOr in the past on system

Registry – Date Last UsedRegistry Key for file execution - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist

ROT13

http://en.wikipedia.org/wiki/ROT13 http://www.rot13.com/index.php

ROT13 Translation

Temporary Internet Files

Internet Explorer History File (index.dat) http://www.mandiant.com/webhistorian.htm

INDEX.DAT Files

INDEX.DAT

URL - (Local File)-The URL from which the file came, including the original file name on that website.

User Name-The Windows User name logged on at the time the file was saved.

Last Accessed-The date and time the URL was last accessed by the client.

Last Modified-The date and time of content last modified on server.

Last Checked-Last synch time.

Expires-A field that con be optionally specified by the website designer for certain files which are "session" files - ones that expire at the end of the browsing session at that site. (Most files will be "persistent") The website indicates when the browser should discard the cache entry and go back to the web site.

Hits-Reflects how many accesses have been made to that URL. It can get go up from redirects or cookie redirects to add sites.

Use Count-Reflects how many users have used the cache entry in a shared cache on Windows 98 systems with multiple user profiles set up.On Windows 2000/XP, it is almost always 0, because each user gets his own set of index.dat files.

INDEX.DAT Decoded

Temporary Internet Files Directory Internet Explorer saves copies of many

things that are displayed on the screen when you surf the web.

These include: downloads images (including embedded images on

web-pages) cached pages cookies etc…..

This is a good source of evidence.

Page/Swap File

Persistent TemporaryDetermine by:

HKEY_LOCAL_MACHINE\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown0 = do not overwrite1 = overwrite

Overwrite Page File at Shutdown?

Application Temporary Files Search *.tmp

Application Specific Files

Specific database, backup, or temporary files used by applications