Lesson 3 The Recycle Bin

05
00
20
61
6C
72
00
00
00
00
00
00
00
00
00
00
00
00
00
5C
74
65
73
44
52
59
20
43
63
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00

00
00
61
69
6C
65
00
00
00
00
00
00
00
00
00
00
00
00
87
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00

00
00
6E
6C
69
64
00
00
00
00
00
00
00
00
00
00
00
00
55
44
73
74
68
65
6F
6F
43
61
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00

00
00
64
65
6E
69
00
00
00
00
00
00
00
00
00
00
00
00
F3
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00

INFO2 RECYCLE BIN FILE STRUCTURE EXAMPLE #2

OPERATING SYSTEM: WINDOWS XP - Build 2600.xpxp_sp2_gdr.050301-1510

00
43
20
79
67
74
00
00
00
00
00
00
00
00
00
00
00
00
45
6F
20
74
61
73
6C
75
72
72
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
43

00
3A
53
5C
20
20
00
00
00
00
00
00
00
00
00
00
00
00
AF
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
3A

00
5C
65
44
59
43
00
00
00
00
00
00
00
00
00
00
00
00
C5
63
61
69
69
6B
6C
72
65
64
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
5C

00
44
74
65
6F
61
00
00
00
00
00
00
00
00
00
00
00
00
01
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
44

08
6F
74
73
75
72
00
00
00
00
00
00
00
00
00
00
00
01
00
75
6E
6E
6C
74
69
20
64
73
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
6F

00
63
69
6B
72
64
00
00
00
00
00
00
00
00
00
00
00
00
80
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
63

00
75
6E
74
20
73
00
00
00
00
00
00
00
00
00
00
00
00
04
6D
64
67
65
6F
6E
4F
69
2E
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
75

00
6D
67
6F
4F
2E
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
6D

20
65
73
70
77
64
00
00
00
00
00
00
00
00
00
00
00
02
43
65
20
73
79
70
67
77
74
64
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
65

03
6E
5C
5C
6E
6F
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
6E

00
74
73
52
20
63
00
00
00
00
00
00
00
00
00
00
00
00
3A
6E
53
5C
5C
5C
20
6E
20
6F
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
74

00
73
68
6F
43
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
73

............ ...
....C:\Documents
and Settings\sh
ailey\Desktop\Ro
lling Your Own C
redit Cards.doc.
................
................
................
................
................
................
................
................
................
................
................
................
.UE....C.:.
\.D.o.c.u.m.e.n.
t.s. .a.n.d. .S.
e.t.t.i.n.g.s.\.
s.h.a.i.l.e.y.\.
D.e.s.k.t.o.p.\.
R.o.l.l.i.n.g. .
Y.o.u.r. .O.w.n.
.C.r.e.d.i.t. .
C.a.r.d.s...d.o.
c...............
................
................
................
................
................
................
................
................
................
................
................
................
................
................
................
................
................
................
................
................
................
................
....C:\Documents

BYTE / VALUE LOCATIONS BASED ON PER RECORD BASIS

Byte 5 / Offset 4h: Variable size deleted file original location and name.
Bytes 265 268 / Offsets 280h 283h: Record number.
Bytes 269 272 / Offsets 284h 287h: Drive designator.
Bytes 273 280 / Offsets 288h 295h: File Deleted Time.
Bytes 281 284 / Offsets 296h 299h: Deleted file physical size.

Bytes 1 16 / Offsets 0h Fh:

Desc: Recognizable File Header.
Comments: Bytes 13-14 are also the
record file size (2003h). This translates
to 800 decimal and is the size of each
INFO2 record. Remember, Little Endian
Format. 2003h = 0320h = 800d.
________________________________
Bytes 17 816 / Offsets 10h 32Fh:
Desc: First record.
Comments: Records start 4 Bytes to the left
of the ASCII drive, path, and file name
information.
Each record is formatted as this example,
with both ASCII and UNICODE
representations of the deleted file or folder
original location information within each
record.
________________________________
Bytes 265 268 / Offsets 280h 283h
Desc: Record number.
Comments: Location is calculated from
beginning of record, not beginning of
INFO2 file.
________________________________
Bytes 269 272 / Offsets 284h 287h
Desc: Drive designator. 02=C:, 03=D:,
04=E:, etc.
Comments: Location is calculated from
beginning of record, not beginning of
INFO2 file.
________________________________
Bytes 273 280 / Offsets 288h 295h
Desc: File Deleted Time.
Comments: FILETIME format. YOU
MUST ACCOUNT FOR GMT/UTC
OFFSET BASED ON THIS VALUE.
Location is calculated from beginning of
record, not beginning of INFO2 file.
________________________________
Bytes 281 284 / Offsets 296h 299h
Desc: Deleted file physical size.
Comments: Will be In increments of the
cluster size. Location is calculated from
beginning of record, not beginning of
INFO2 file.
________________________________
Beginning of Next Record

_______________________________________________________________________________________
Computer Forensics Core Competencies

3-12
Copyright Steve Hailey
Licensed to CyberSecurity Institute