CyberSecurity Institute logo, security training page
CyberSecurity Institute logo, security training page
 
Home    |    Services    |    Client Listing   |   Student Listing   |   Certifications   |    Mailing List  
Documents   |    Customer Comments    |    Contact Us   |    Forensic Software
Digital Forensic Certifications
  CSFA / CSICI
Training Courses
  Computer Forensics Core Competencies
5 Day
  Computer Forensics for Attorneys 1 Day
  Packet Analysis and Intrusion Detection 5 Day
  Computer Forensics Fundamentals 1 Day
  Windows Forensics Essentials 2 Day
Services
  Litigation Support / Expert Witness
  Businesses
  Individuals
Software
  Triage Solutions
Lists
  Mailing List
  Clients
  Students
  Instructors
Documents
  The "Tools Proven in Court" Question
  Getting Started In Information Security / Digital Forensics
  What Is Computer Forensics?

 
 
Information on funding sources, commissioner approved training and worker retraining

Created: Dec 4, 2004
Updated: Sept 1, 2005
Author: Steve Hailey

Note: An INFO2 File Structure Example is available for download. This can be used as a "quick reference" when dealing with INFO2 files. More examples and additional information will be posted at a later date. Acrobat 6.0 or later is required.

The default Recycle Bin configuration for a Windows computer is to move deleted files to a folder named \Recycler\%SID%\, where %SID% is the SID (Security Identifier) of the currently logged on user. Every user on the system will have such a directory created the first time that the Recycle Bin is used. As well, each user will have a hidden file called INFO2 created the first time the Recycle Bin is used - its purpose is to keep track of the deleted file(s) / folder(s) original location, as well as file size and deletion time. This makes it possible to relate deleted files with specific users.

If the user has configured the Recycle Bin to remove files immediately when they are deleted, or if the user holds down the SHIFT key while pressing the DEL key, the deleted files are not moved to the Recycle Bin. This holds true for files deleted by the operating system or from a command prompt, floppy drive, USB thumb drive, network drive, and compressed folder. It can be said that any files or folders that were deleted and sent to the Recycle Bin were most likely the result of a user initiated action.

When the Recycle Bin is emptied, the INFO2 file is "deleted" for the logged on user along with the file(s) / folder(s) it referenced. These "deleted" INFO2 files can be recovered by conducting a search for the INFO2 file header. Please see the INFO2 File Structure Example.

Deleted File/Folder Naming Convention

When a file is sent to the Recycle Bin, the file is renamed using the following convention:

D%DriveLetter%_%IndexNumber%_%FileExtension%.

D%DriveLetter%:

The "D" stands for Drive. %DriveLetter% is the drive that the file resided on. It is often overlooked that each drive will have it's own Recycler directory and INFO2 file for each user that has deleted files from the drive. The INFO2 files for Drive C: will only have entries related to Drive C:, the INFO2 files for Drive D: will only have entries related to Drive D: and so forth.

%IndexNumber%:
This number is assigned to each file or folder that is sent to the Recycle Bin, and can be used to tell the order of deletion. The highest number was the last file deleted. When the Recycle Bin is emptied and the system is restarted, the index numbering starts all over. A recovered INFO2 file that has index numbers starting at a number higher than 1 indicates that the user emptied the Recycle Bin previously during the same session.

%FileExtension%:
This will be the original file extension of the file. If a folder is deleted, there will be no extension.

Examples

1. A file named Steve.doc is deleted from the C: drive and is sent to the Recycle Bin. It is the first item deleted for the particular user session. The file will be named Dc1.doc. The entry for this file will be found in the C:\\Recycler\%SID%\INFO2 file for the user who deleted the item from the C: drive.

2. A file named hacker.txt is deleted from the C: drive and is sent to the Recycle Bin. It is the second item deleted for the particular user session. The file will be named Dc2.txt. The entry for this file will be found in the C:\Recycler\%SID%\INFO2 file for the user who deleted the item from the C: drive.

3. A file named cardnumbers.xls is deleted from the D: drive and is sent to the Recycle Bin. It is the third item deleted for the particular user session, but the first item deleted from drive D:. The file will be named Dd1.xls. The entry for this file will be found in the D:\Recycler\%SID%\INFO2 file for the user who deleted the item from the D: drive.

4. A folder named Personal is deleted from the C: drive and is sent to the Recycle Bin. It is the fourth item deleted for the particular user session, but the third item deleted from drive C:. The folder will be named Dc3. The entry for this file will be found in the C: \Recycler\%SID%\INFO2 file for the user who deleted the item from the C: drive.

INFO2 Structure

Please download the INFO2 File Structure Example. This can be used as a "quick reference" when dealing with INFO2 files. More examples and additional information will be posted at a later date. Acrobat 6.0 or later is required.

 
Legal Stuff | Privacy Policy | Contact Us
Copyright © 1999-2005 SP Hailey Enterprises all rights reserved. Reproduction in whole or in part in any form or medium without the expressed written permission of SP Hailey Enterprises is prohibited. CyberSecurity Institute™, CyberSecurity Institute Certified Instructor (CSICI)™, CyberSecurity Forensic Analyst (CSFA)™, Computer Forensics Core Competencies™are trademarks used by SP Hailey Enterprises.