1. Deleted Files
Soup to Nuts

2. What happens when a user deletes a file?
How do our tools handle the Recycle Bin?
Why do our tools report stuff that isn’t there and don’t report stuff that is?
What are the limits of automated file carving?
How can we use corrupted files in a forensic setting?
How can we deal with secure deletion?

3. How do our tools handle the Recycle Bin?

4. Recycler (NTFS) / Recycled (FAT) Tracks by SID in NTFS
All user access in FAT
Displays only the active user in NTFS
Renames files
Dc#.ext
Tracks name change in the INFO2
FAT 280 byte records
NTFS 800 byte records

5. Info2 File Structure Header: 20 Bytes Bytes 0-3: File Signature
Bytes 13-14: Record Length
20 03
18 01
0320xh = 800xd
0118xh = 280xd

6. File Signature
Record Size
ASCII Filename
Record Number
Drive Letter
64-bit Deletion Time
Size
Unicode Filename

7. INFO2 Header Number of Unpurged Entries (63xd)
Number of Records (67xd)
Example of a Purged Record
Unknown
Forensics sources seem to have ignored the red and blue bytes.

8. Windows 7 and Vista Recycle Bin
File names are replaced with $R<random>.<ext>
<random> includes letters and numbers
<ext> is the original extension
Recycled folders are stored with file names and archives intact.
The file contents are the same as the original.

9. Windows 7 and Vista Recycle Bin
A second file is created with the name
$I<random>.<ext>
This file contains:
original filename/path,
original file size, and
The 64-bit time that the file was moved to the Recycle Bin. 
$I files are all 544 bytes.

10. Note: Modification Dates for $R files are the same as originals, but $I files are created at the time the original file is moved to the recycle bin.

11. Filenames and metadata remain in archives
Archive files retain internal file system metadata.

12. The Modified, Accessed, and Created times within an archive are unchanged (of course).

13. $I File Structure
Bytes 0-7: $I File Signature –
Bytes 8-15: Original file size.
Bytes 16-23: 64-bit NT Time/Date Format. Time of deletion.
Bytes : Original file path/name. Unicode

14. Note the total length of 22350 bytes (574Exh bytes).

15. Note the total length of 22350 bytes (574Exh bytes).
The graphic does not portray the end of file. That would have been a nice touch; don’t you think?
Note the total length of bytes (574Exh bytes).
Also note, we have shifted from the $I file to the $R file.

16. Superman.gif is 22kb and 22,350 bytes / 1024 bytes/kb = 21.8 kb
Archive files retain internal file system metadata.

17. The 64-bit time matches the modified time (all three MAC times)
The 64-bit time matches the modified time (all three MAC times). The $I file is created at the time of deletion.

18. Why do our tools report stuff that isn’t there and don’t report stuff that is?

19. File System is Metadata
The fundamental error in forensics thinking is mistaking the file system for the data on the disk.
Operating systems and forensics tools encourage us to do this, but the organization of the file system is separated from the data on the disk by several layers of abstraction.

20. This is data
on a disk.
This is the output of a database called $MFT.

21. File System Artifacts vs. Data
File system artifacts are metadata presented as part of the file system.
This distinction is illustrated by file names and other metadata read from the MFT, that may represent actual data that has been overwritten.

22. $MFT Record Structure
The Master File Table is a flat database with 1024 byte, fixed size records.
Metadata describing the file associated with that MFT record number is arranged in a variable length stream of “attributes.”

23. Data on the Disk
When unallocated space contains data, the data is almost always remnants of previously deleted files and folders.
When the metadata describing such a file is deleted or overwritten. The individual data runs comprising the file’s data may still be present, but possibly unorganized or scattered. They may also be continuous and thus easily carved.

24. BTW, I highly recommend Grok-NTFS
The NTFS structure in a mounted volume has more information than is found in the MFT. Other files contribute to the logical structure in a way that is analogous to the registry (built on boot from static files).
BTW, I highly recommend Grok-NTFS
“Folder records contain index information. Small folder records reside entirely within the MFT structure, while large folders are organized into B-tree structures and have records with pointers to external clusters that contain folder entries that cannot be contained within the MFT structure.”

25. $MFT Record Structure
The data streams (attributes) can be named or unnamed. Some are mandatory and some are conditional.
Microsoft Tech Net Describes:
Attribute List
Data
Object ID
Logged Tool Stream
Reparse Point
Index Root
Index Allocation
Bitmap
Volume Information
Standard Information
File Name

26. $AttrDef
This NTFS file defines the attributes of an MFT record on the system in question.
Offset Bytes Description Example
0x Label in Unicode $STANDARD_INFORMATION
0x80 4 Type
0x84 4 Display rule 0
0x88 4 Collation rule 0
0x8C 4 Flags (always resident)
0x90 8 Minimum size 48
0x98 8 Maximum size 72
$AttrDef contains 160 Byte Records for each of the attributes found in the MFT. Many are variable, but some are always present and defined with the same type number.

27. $MFT
To <shift>delete a file, is to change the allocation status of the file (or folder) in the $MFT.

28. 01 00
01 00
02 00
00 00

29. All the metadata is still present in the MFT record and the data is still on the disk.

30. File Carving

31. File Carving
File carving techniques usually identify binary patterns at known offsets within files.
For efficiency’s sake, these patterns can be sought at cluster boundaries.
File carving software does not use file system metadata to identify data runs so only files stored in sequential clusters can be carved*.
* New techniques can recover non-sequential sectors—sometimes.

32. File Carving Walk-through
The sample data in this walk through is “image.dd.”
It is a raw block-stream image file that may include jpeg pictures. JPEGs start with the header
FF D8 FFxh
This volume containing image.dd is mounted in an Ubuntu system.

33. xxd -g 0 image.dd | grep ffd8ff
“xxd” reads the input specified in the command line: “image.dd” and pipes it to the grep command.
“xxd –g 0” removes the grouping and makes the output searchable by GREP.
GREP searches the stream for the byte pattern ffd8ffxh
The stream searched will be lowercase.
“xxd –g 0” removes the grouping and makes the output searchable by GREP.

34. : ffd8ffe000104a JFIF.....H
xxd passes and GREP returns the line number in hexadecimal followed by the 16 bytes of hexadecimal data followed by the ASCII interpretation of the data.
The output from GREP will be the offset (in hex) of the header—this is the beginning of the file.
By default xxd lists 16 byte lines with a hexadecimal line number. In this case, the line number is xh. It is not obvious, but that line number is a good sign for carving a complete file. Each sector is 512xd bytes. 512xd equals 200xh. Thus, any line number evenly divisible by 200xh is the first line of a sector. Most files start on sector boundaries, not in the middle of a sector. The first four bytes are ffd8ffe0xh. This is one of the possible JPEG signatures. These bytes are followed by the remaining 12 bytes in hexadecimal followed by the ASCII conversion of the data. One other consideration is that xxd gives output in a conveniently grouped byte pattern by placing a space between each hexadecimal couplet. “xxd –g 0” removes the grouping and makes the output searchable by grep.

35. echo "ibase=16; " | bc
“bc” is a calculator that can convert hex to decimal (among other things).
The argument: “ibase=16” specifies the input type as base 16 or hexadecimal.
The output type default is base 10 or decimal.
It is necessary to convert this line number to decimal. In Windows, open calculator and choose scientific view. Enter in hexadecimal and convert to decimal. In a Linux command line, also use a calculator: bc. Echo directs output to stdout (the terminal or a pipe). “bc” is the binary calculator. The following command tells echo to repeat the information “ibase=16; ” to bc. bc interprets the input base (ibase) as hexadecimal (16) and the number as with no other operations. The default base for bc is 10, so the output base stays 10. The output is the xh converted to decimal. When using bc, remember the default input in hexadecimal is uppercase, but the default output of xxd is lowercase. This will be shown in the next example.

36. File Carving Methods
Once the header is identified, there are two ways to decide where to end the file.
Search for the footer value FF D9xh
Select a maximum size to carve.
This may not capture the whole file
This can lead to unusual results

37. Sanity Check Missing Footer
xxd -s <decimal address> <image.dd> | grep ffd9
In this command, there is nothing to stop xxd from dumping the entire image to grep and grep searching for a value that may or may not be there.
Sanity Check

38. xxd -s 4195328 -g image.dd | grep ffd9
Use the same method to search for the footer as the headers.
Since the beginning offset is xd ( xh),
This command ‘skips’ (-s) the first bytes
The output is as follows
Once the header location is known, the footer signature location must be found to locate the end of the file. Line xh was the first to contain a JPEG signature so all previous lines can be skipped. Once again, xxd and grep can locate this value.
0406fc0: aee7fffd s.z

39. echo "ibase=16; 406FC0 + 9" | bc
“bc” is a calculator that can convert hex to decimal (among other things).
The argument: “ibase=16” specifies the input type as base 16 or hexadecimal.
The output type default is base 10 or decimal.
The line number is 0406fc0xh. The first nine bytes are part of the JPEG file. Bytes number eight and nine are the footer signature value (FF D9xh), marking the end of the file. The trailing nulls (00xh) are file slack space. It cannot be seen from the output above, but there are actually 55 bytes of file slack space before the end of the sector and in this case, the beginning of the next file. Those bytes could contain fragments of previous file(s) stored in that sector. In this case, they contain nulls because the media was securely deleted before use in this example.
Again, it is necessary to convert the line number to decimal, but also to add the 9 bytes found in that line. The direct output of the line number needs to be converted to uppercase or produced from xxd using the “-u” switch to make the hexadecimal digits uppercase. The default output of xxd is lowercase and bc requires uppercase. Since decimal and hexadecimal use the same characters for 0-9, it may be hard to tell that the additional nine bytes are added in hexadecimal.

40. echo "ibase=16; 406FC0" | bc
“bc” is a calculator that can convert hex to decimal (among other things).
The argument: “ibase=16” specifies the input type as base 16 or hexadecimal.
The output type default is base 10 or decimal.
The line number is 0406fc0xh. The first nine bytes are part of the JPEG file. Bytes number eight and nine are the footer signature value (FF D9xh), marking the end of the file. The trailing nulls (00xh) are file slack space. It cannot be seen from the output above, but there are actually 55 bytes of file slack space before the end of the sector and in this case, the beginning of the next file. Those bytes could contain fragments of previous file(s) stored in that sector. In this case, they contain nulls because the media was securely deleted before use in this example.

41. bc can also be used to calculate simple differences.
echo " " | bc
bc can also be used to calculate simple differences.
A final calculation will yield the file length. This can also be accomplished with a simple calculator.
27593

42. dd if=image_dd.001 of=carved.jpg skip=4195328 bs=1 count=27593
There is a new file called “carved.jpg.”
With all the file location information available, the file itself can be carved out of the image and exported to a file system. In this case, it is simply exported to the working directory containing the image, but the output can be directed to any mounted file system.
There is also a new file called “carved.jpg.” It can be viewed with the xview command or with the tools of the desktop environment. To be clear, there is no difference between the carved file and the original. This can be seen by viewing the JPEG file and seeing the picture. It can also be mathematically confirmed by running an MD5 checksum of the original file and the carved file. In this case, the MD5’s match, confirming that not one bit is different.
records in
records out
27593 bytes (28 kB) copied, s, 53.5 kB/s

43. What are the limits of automated file carving?

44. The integrity of the data on the disk has two threats.
The MFT entry will be reused and all the Metadata (including location on the disk) will be lost.
The data on the disk will be overwritten and the data itself will be lost.

45. File System Objects
There is no precise term or definition to deal with data/metadata combinations (i.e. files or folders) that have been partially lost.
In the absence of better terms:
“Files System Object”
“Data Run(s)”
Carved data runs are not “file system” objects. Their only representation in the file system is unallocated space.

46. If all the metadata is still present in the MFT record and the data is still on the disk. It is simple file recovery.

47. Without the data run locations from $DATA_attribute, you must search for known signatures in free space and hope to get a file.

48. Also FF D8 FF E1 and FF D8 FF FE

49. How can we use corrupted files in a forensic setting?

50. Brains
User created elements such as text are very important in matching unknown files or fragments.
Reading fragments of HTML, XML, TXT or text portions of MS Word, PDF, etc. can help identify file fragments identified from key word searches.

51. Less Brains
Searching for unique hex patterns in a large data set can be time intensive and inconclusive without some way to connect that relatively small pattern to a file of probative value.

52. Known Samples
By using a known sample, we can create sector hashes and use hash matching to identify fragments of certain files.
Files with repeated structural elements must be assessed with caution.

54. File Extractor Pro
FE Pro creates a list of sectors that match the sectors of the questioned file.
These were collected solely from unallocated space.

55. Sample Data
In this contrived example, the file was copied three times (note the sequence numbers appended). They were deleted. The fragmented file was actually overwritten with a hex editor, as were portions of the other two. In the end, a complete copy of all of the original sector was available from three separate locations.

56. Matching Data Runs
Even data from file slack can be matched into the picture from partially overwritten sectors.
Intact sectors within file slack will be matched by FE Pro.

57. Missing Header
A missing header means no traditional carving.

58. Fragmented Data
Without the $Data_attribute from the MFT, fragmented sectors cannot normally be collected and restored.

60. Completely Overwritten
If the data on the disk has been overwritten, but the data in the MFT is intact, you can obtain all the metadata, but not the contents of the file (unless it is MFT resident).

61. Completely Overwritten
If the data on the disk has been overwritten, and the data in the MFT is also overwritten…what makes you think the file ever existed there?
.lnk files
Paths retained elsewhere
You are out of luck.

62. How can we deal with secure deletion?

63. Detection
The presence of file hashes from secure deletion software is a primary indication.
The presence of the binaries and shortcuts etc. if still installed is a primary indication.
Search for “Gutmann” or “DoD M”
Search for sequential sectors overwritten with a pattern (usually 00) in the middle of data.

64. Detection
Recall that the data used in forensic examination has two components: the file system object and the data run(s).
Secure deletion software must eliminate the MFT records on an NTFS system to avoid leaving the file system metadata.
The MFT never shrinks*
MFT “defragmentation” software can only replace an offline MFT with a redacted copy.

65. Detection

66. 027B C C FILE
027B X
027B
027B `
027B H
027B B 90 B2 DA E7 A8 01 D0 66 6E 7A D7 95 CB 01 [²Úç¨ ÐfnzוË
027B D0 66 6E 7A D7 95 CB B 90 B2 DA E7 A Ðfnz×•Ë [²Úç¨
027B
027B
027B p
027B68A X
027B68B B 90 B2 DA E7 A [²Úç¨
027B68C B 90 B2 DA E7 A D 7A D7 95 CB 01 [²Úç¨  MzוË
027B68D B 90 B2 DA E7 A [²Úç¨
027B68E
027B68F0 0B 03 6D m s v c i r t
027B E C 00 6C d l l € H
027B
027B @
027B @
027B A 0A 00 F8 FF FF ! J øÿÿ
027B FF FF FF FF ÿÿÿÿ‚yG
027B
027B
027B
027B
027B69A
027B69B
027B69C
027B69D
027B69E
027B69F
Tue, 01 January :01:01 UTC

68. D. Kall Loper, Ph.D. www.loperforensic.com info@loperforensic.com