Week 5 - Anti-Forensics Technique-2

Lab 5: Recycle Bin Forensics

Objective

Investigate deleted files in the Recycle Bin using Windows Command Prompt (CMD) tools. You'll create files using the GUI, delete them, and then examine the Recycle Bin's contents to explore the forensic implications of file deletion.

Lab Requirements

• Windows Machine (Windows 10 or later)
• Command Prompt (CMD) access (built-in to Windows)

Step 1: Creating Files Using GUI

Create a Test Folder

1. On your Desktop, create a folder named TestFolder.
2. Right-click on your Desktop, select New > Folder, and name it TestFolder.

Create Test Files

1. Inside TestFolder, create the following files:
   • Test Text File: Right-click inside the folder, select New > Text Document, and name it testfile.txt. Open the file and add the text "This is a test text file," then save and close it.
   • Test Image File: Right-click inside the folder, select New > Text Document, and name it testimage.jpg. You can simply add a random text to the file and save it. (You can rename it to have the .jpg extension, but it's still just a text file for this example.)

Step 2: Deleting Files

Delete the Files

1. After creating the test files, delete them by selecting the files, right-clicking, and choosing Delete.
2. The files will now be moved to the Recycle Bin.

Step 3: Accessing and Investigating the Recycle Bin

Navigate to the Recycle Bin Folder

1. Open Command Prompt (cmd).
2. Navigate to the hidden system folder $Recycle.Bin by typing:

   cd C:\$Recycle.Bin
   

List Files in the Recycle Bin

1. To list all files in the Recycle Bin, use the following command:

   dir /a
   

2. This will display the files in the Recycle Bin. The files are renamed with random strings (e.g., $R12345.txt).

Step 4: Viewing File Metadata

Check File Metadata

1. To view metadata (e.g., file size, creation date, modified date) for a file in the Recycle Bin, use the following command:

   dir $R12345.txt
   

Inspect Multiple Files

1. You can inspect multiple files by changing the filename ($R12345.txt) in the dir command.
2. If you want to see metadata for several files, use:

   dir *.jpg
   

3. This command will list the metadata for all .jpg files in the Recycle Bin.

Step 5: Recovering Files from the Recycle Bin

Recover Files Using CMD

1. To recover a file, you can manually copy it from the Recycle Bin to another directory. For example, to recover the file $R12345.txt:

   copy C:\$Recycle.Bin\$R12345.txt C:\Users\YourUsername\Desktop\RecoveredFile.txt
   

Verify the Recovered File

1. After copying, check your Desktop to verify the recovered file:

   dir C:\Users\YourUsername\Desktop
   

2. You should see the file RecoveredFile.txt that you restored from the Recycle Bin.

Step 6: Investigating Metadata of Recovered Files

Inspect Recovered Files

1. After recovering a file, use the dir command to check its metadata (e.g., creation time, modification time, etc.):

   dir C:\Users\YourUsername\Desktop\RecoveredFile.txt
   

Analyse Timestamps

1. Pay close attention to the Date Created and Date Modified fields to see if they correspond with when the file was initially created or deleted.
2. This analysis can provide forensic evidence about when the file was deleted and restored.

Step 7: Checking for Hidden Files

Show Hidden Files

1. To check for any hidden files in the Recycle Bin, use:

   dir /a:h
   

2. The /a:h flag ensures hidden files are displayed. This can help uncover files that are normally invisible in File Explorer but still present in the Recycle Bin.

Extra Task: Recovering Permanently Deleted Files

The purpose of this task is to show you how permanently deleted files from a suspect’s recycle bin can be recovered in a forensic investigation. Deleting files from the recycle bin is another anti-forensic technique used by attackers to completely erase all files and tools that could be used to trace their suspicious activities.

Note: For this task you need to have recycle_bin.dd image,

• You can find in your CyberLab Shared folder
• or download from here recycle_bin.dd. Also, I will show you how you can implement this task from scratch on your USB stick. The tools required for this lab are FTK Imager and Autopsy.

PLEASE make sure to delete the image after you finish your lab to ensure there is enough space available on the machine for future use. Thanks.

Recovering Files from the Provided Image (recycle_bin.dd)

1. In this image file, I have created several documents in txt, word, and jpeg format. These documents have been permanently deleted.

2. Open the Autopsy application on your forensics machine.

3. Create a new case and add the image to the case.

4. Go to the file system section under deleted files.

   • What do you see? The attacker could have assumed all files were completely deleted. Were they deleted?

5. Now analyse every file's metadata. What is the file size of attack.jpeg and crime.jpeg?

6. Can you identify the time and date stamps?

7. Can you view the content of the jpeg files?

8. Where was crime.jpeg downloaded from (URL)?

FYI: Implementing the Activity on Your USB Stick

1. Create a folder on your desktop environment and copy as many files as you want into that folder.
2. Now copy the folder into your USB stick. With the Shift + Delete key, permanently delete the folder from your USB stick.
3. Open your FTK Imager application.
4. Create an image of the USB stick using FTK Imager and give the image a name.
5. Open the Autopsy application on your forensics machine.
6. Create a new case and add the image to the case.
7. Go to the file system section under deleted files. What do you see? The attacker could have assumed all files were completely deleted. Were they deleted?
8. Analyse all the deleted files in the folder, including the metadata information.

Ali Jaddoa