I recently received an email from a friend who I had worked closely
with years ago and who I have always considered to be a mentor. Everyday
we worked together he would challenge me and make me think about
various forensic procedures and come up with innovative solutions. His
name is Bruce Pixley and I miss working with him.
Bruce recently had a need to parse out some deleted files that were in
the recycle bin of a Windows 7 image, but the corresponding $R files
were gone. He restored several of the shadow volume instances and found
several of the $I files, but the $R files were not present. He needed a
way to parse just the $I index files and build a report.
Bruce ended up writing a simple EnScript to parse selected $I files in
the recycle bin of a Vista/7 image. He sent me the EnScript to post as a
learning process for others.
/*
Windows 7 Recycle Bin Report (Version: 1.0)
Select $I files found in the Windows 7 $Recycle.Bin folder that you want decoded
Enscript will create a tab-delimited file in the case export folder
Created by: Bruce W. Pixley, CISSP, EnCE
Date: 12/1/2010
*/
with years ago and who I have always considered to be a mentor. Everyday
we worked together he would challenge me and make me think about
various forensic procedures and come up with innovative solutions. His
name is Bruce Pixley and I miss working with him.
Bruce recently had a need to parse out some deleted files that were in
the recycle bin of a Windows 7 image, but the corresponding $R files
were gone. He restored several of the shadow volume instances and found
several of the $I files, but the $R files were not present. He needed a
way to parse just the $I index files and build a report.
Bruce ended up writing a simple EnScript to parse selected $I files in
the recycle bin of a Vista/7 image. He sent me the EnScript to post as a
learning process for others.
/*
Windows 7 Recycle Bin Report (Version: 1.0)
Select $I files found in the Windows 7 $Recycle.Bin folder that you want decoded
Enscript will create a tab-delimited file in the case export folder
Created by: Bruce W. Pixley, CISSP, EnCE
Date: 12/1/2010
*/
You can read the comments inside the EnScript for specific details of how he is parsing the data.
You can download a copy of the EnScript here
轉自 http://www.forensickb.com/2010/12/windows-7-recycle-bin-enscript.html
轉自 http://www.forensickb.com/2010/12/windows-7-recycle-bin-enscript.html
發表文章
0 意見: