ZTree.com  | ZEN  | About...  

 Index   Back

$RECYCLE.BIN file list   [General]

By: Liviu       
Date: May 13,2014 at 04:38
In Response to: $RECYCLE.BIN file list (Martijn Coppoolse)

> On my Windows 7 machine at least, each deleted file seems to be
> represented by TWO different 8.3+-character files in $RECYCLE.BIN:
> - one called something like color="#003399">$I0URWQI.jpg (544 bytes large),
> - and one called something like color="#003399">$R0URWQI.jpg.
> [...]
> The $R file appears to be the actual deleted file, including its
> attributes, date and times.

Good to know, thanks. Doesn't seem to be officially documented, but according to http://dereknewton.com/2010/06/recycle-bin-forensics-in-windows-7-and-vista/ the $I file format would be:

In order to decode a $I files, you could use a forensic tool that has the ability to interpret these files (I belive that Encase and FTK can do this), or you can simply open the file up in a hex editor. The file is structured as follows:
• Bytes 0-7: $I File header – always set to 01 followed by seven sets of 00.
• Bytes 8-15: Original file size – stored in hex, in little-endian.
• Bytes 16-23: Deleted date/time stamp – represented in number of seconds since Midnight, January 1, 1601. Use a program such as Decode to assist with figuring out the exact date/time, if you don’t want to do the math :).
• Bytes 24-543: Original file path/name.


Cheers,
Liviu

1,207 views      
Thread locked
 

Messages in this Thread

 
96,637 Postings in 12,231 Threads, 350 registered users, 96 users online (0 registered, 96 guests)
Index | Admin contact |   Forum Time: Mar 29, 2024 - 6:47 am UTC  |  Hits:62,395,702  (10,488 Today )
RSS Feed