>> In the last unit, we studied one of the most important Windows artifacts, registry.
>>在上一个单元中,我们学习了Windows最重要的工件之一,注册表。
In this unit, we will look at other information rich Windows artifacts startingwith the Windows Recycle Bin.
在本单元中,我们将从Windows回收站开始研究其他信息丰富的Windows构件。
The Recycle Bin is a hidden system folder.
回收站是一个隐藏的系统文件夹。
It is called Recycled in Windows 95 and 98.
它在Windows 95和Windows 98中被称为可回收的。
Recycler in Windows NT 2K and Primavera and the $ Recycle dubbing since Windows Vista.
回收者在Windows NT 2K和春华和$ Recycle配音自Windows Vista。
When files and folders are send to the Recycle Bin, they remain as active filesin that they are allocated the space is protected from being overwrittenuntil one empties the Recycle Bins.
当文件和文件夹被发送到回收站时,它们仍然是活动的文件,因为它们被分配,直到清空回收站,空间才会被覆盖。
FAT systems do not track who deleted the files.
FAT系统不会跟踪谁删除了文件。
So, all the files in Recycle Bin are put in a single folder.
因此,回收站中的所有文件都放在一个文件夹中。
The NTFS, however, subfolders in Recycle Bin are created with user IDs.
然而,使用用户id创建回收站中的NTFS子文件夹。
Each user has his own folder to store recycled files.
每个用户都有自己的文件夹来存储回收的文件。
Users can only access their own files associated with their own ID.
用户只能访问与自己ID相关联的文件。
Please note that files deleted by the operating system, or by pressing shift keyand delete are not moved to the Recycle Bin.
请注意,被操作系统删除的文件,或按下shift键和delete键不会移动到回收站。
The Recycle Bin before Windows Vista uses hidden file called Info, or Info2 to storeeach file in the directory's information in the RecycleBin.
Windows Vista之前的回收站使用名为Info或Info2的隐藏文件来将目录中的每个文件存储在回收站中的信息中。
When you move a file to the Recycle Bin, a new entry is added to the Info2 file,with information of the file's index number, deleted data, and time,the original file size, name, and the path.
当您将文件移动到回收站时,Info2文件中将添加一个新条目,其中包含文件的索引号、删除的数据、时间、原始文件大小、名称和路径的信息。
And a new name in the format of D followed by the original drive letter of the file,followed by a sequential index number, followed by the original extension.
以及D格式的新名称,后面是文件的原始驱动器字母,后面是顺序索引号,后面是原始扩展名。
For example, when executable file on the C drive is sent to the Recycle Bin,it's new name in Info2 file entry is DC43.exe.
例如,当C驱动器上的可执行文件被发送到回收站时,Info2文件条目中的新名称是DC43.exe。
If it's index number is 43.
如果索引号是43。
Using Info2 information, you can easily recover filesthat you may have sent to the Recycle Bin by mistake.
使用Info2信息,您可以轻松地恢复错误发送到回收站的文件。
When a folder is sent to the Recycle Bin, the folder name in Info2 is changed in thesame way as a file, without any extension.
当一个文件夹被发送到回收站时,Info2中的文件夹名称以与文件相同的方式更改,没有任何扩展名。
Files and photos within that folder remain their original names.
该文件夹中的文件和照片仍保留原来的名称。
Since Windows Vista, Recycle Bin has been named as $Recycle.Bin.
从Windows Vista开始,回收站就被命名为$ recycling .Bin。
Info2 file is not used anymore.
Info2文件不再使用。
When a file is sent to Recycle Bin, both the original file and its metadata file are storedin the C$.b and a user's directory.
当将文件发送到回收站时,原始文件及其元数据文件都存储在C$中。b和用户目录。
The original file is renamed to $Ir, followed by a set of random characters,followed by the original file extension.
原始文件被重命名为$Ir,后面是一组随机字符,后面是原始文件扩展名。
A matching metadata file is created with its file name beginning with $I followedby the same set of random characters and extensions as the $R file.
创建匹配的元数据文件时,文件名以$I开头,后面跟着与$R文件相同的一组随机字符和扩展名。
This $I file is always 544 bytes long and it contains the informationof the original file name, path, original file size and the deleted date and timethat the file was moved to the Recycle Bin.
这个$I文件总是544字节长,它包含原始文件名、路径、原始文件大小以及文件被移动到回收站的删除日期和时间的信息。
Unfortunately, neither the Info2 file, nor the $I files are in readable text.
不幸的是,Info2文件和$I文件都不是可读文本。
Rifiuti, the title in word meaning trach, was developed by McAfee to pass the informationin an Info2 file and display the fields separate d by a field delimiter.
Rifiuti,这个单词的意思是trach,是由McAfee开发的,用于在Info2文件中传递信息,并显示由字段分隔符分隔的字段。
Rifiuti supports multiple platforms and well run on Windows, Mac, Linus and BSD platforms.To pass out $I file, you only need to follow the file's structure for $I.
Rifiuti支持多种平台,可以在Windows、Mac、Linus和BSD平台上运行。要传递$I文件,您只需要遵循$I文件的结构。
After using FTK and the EnCase to export the $I files, free tools such as $I file parserfrom Flashback Data will parse the $I files.
使用FTK和EnCase导出$I文件后,从Flashback Data导出$I文件解析器等免费工具将解析$I文件。
When the Recycle Bin is empty, the files and the foldersin the Recycle Bin become deleted files and folders.
当回收站为空时,回收站中的文件和文件夹成为已删除的文件和文件夹。
File systems will modify their system files to reflect the deletion as we covered in UnitSix.
文件系统将修改它们的系统文件,以反映我们在第六单元中谈到的删除。
The addition Info2 entries and the $ files are deleted.
添加的Info2条目和$文件将被删除。
And the Windows Recycle Bin icon changes to an empty waste bucket.
Windows回收站图标将更改为空的废物桶。
However, even though this Info2 records and the $I files are gone from Recycle Bin,they may still be intact and allocated or slack spaces.
然而,即使Info2记录和$I文件从回收站中消失了,它们可能仍然是完整的、分配的或松弛的空间。
Forensic examiners are interested in recovering Info2 entries in the $I filessince they indicated that a user intentionally deleted the files from certain locations.
法医检查人员对恢复$I文件中的Info2条目很感兴趣,因为它们表明用户有意从某些位置删除了这些文件。
For example, a suspect is accused of possession of indecent pictures.
例如,嫌疑犯被指控拥有不雅照片。
And a forensic examiner finds some of pictures in their Recycle Binor in the recovered Info2 file, the suspect claimsthat these pictures will automatically download from internet and heor she are not aware of their existence.
法医在他们的回收站或回收的Info2文件中发现了一些照片,嫌疑人声称这些照片会自动从互联网上下载,而他或她并不知道这些照片的存在。
The forensic examiner can check the picture's original location before they were sentto Recycle Bin.
法医可以在照片被送往回收站之前检查照片的原始位置。
If these pictures were originally located in C, My Documents, My Favorite Things,and this evidence may tend to refute the suspect's statement.
如果这些照片最初是在C,我的文件,我最喜欢的东西,这些证据可能会反驳嫌疑人的陈述。
Sometimes an original file pass information tells usthat we are missing a critical piece of evidence.
有时原始文件传递的信息告诉我们,我们遗漏了一个关键的证据。
For example, in you examiner identifies an Info2 file record, or $I file,but he has trouble finding the file's original path from the C's media.
例如,在您的审查员标识一个Info2文件记录,或$I文件,但他很难从C的媒体中找到文件的原始路径。
This is an indication that there may have been another piece of media attached to thecomputer.
这是一个迹象,可能有另一块媒体连接到计算机。
This could lead us to discover more evidence.
这可能会引导我们发现更多的证据。
How do forensic analysis tools recover deleted Info2 records and the $I files?
法医分析工具如何恢复已删除的Info2记录和$I文件?
We mentioned earlier, both Info2 record and the $I record information following theirown file slacks structures.
我们前面提到过,Info2记录和$I记录信息都遵循它们自己的文件宽松结构。
And Info2 file record stores the files index number, deletion date and the time,the original file size, name and path, and a new name.
Info2文件记录存储文件索引号、删除日期和时间、原始文件大小、名称和路径以及新名称。
A $I file is always 544 bytes long and it follows $ file structure to store informationof the original file size, deleted date and time, and the original file name and path.
$I文件总是544字节长,它遵循$ file结构来存储原始文件大小、删除日期和时间以及原始文件名和路径的信息。
Forensic tools will go through unallocated clusters in a file slacks,using regular expressions to search for Info2 records and the $I file patterns.
法医工具将以宽松的方式处理未分配的集群,使用正则表达式搜索Info2记录和$I文件模式。
In EnCase uses its own script, a Java-like program to recoverand interpret deleted Info2 records and the $I.
在EnCase中使用它自己的脚本,一个类似java的程序来恢复和解释已删除的Info2记录和$I。
FTK uses live search with regular expression to search for Info2 entries in the $I.
FTK使用带有正则表达式的live搜索来搜索$I中的Info2条目。
The regular expression for Info2 entries is given here as an example.
这里给出了Info2条目的正则表达式作为示例。
Windows shortcut files or link files are variable artifacts for forensic investigators.
Windows快捷方式文件或链接文件是法医调查的可变工件。
Shortcut files linked to Windows applications and files they are using recent documents,start menu, sent to, and a Windows desktop.
快捷文件链接到Windows应用程序和文件,他们使用最近的文件,开始菜单,发送到,和Windows桌面。
Understanding the link file format is important for forensic analysis.
了解链接文件格式对于法医分析非常重要。
Windows link file contains the Mac times of the target,the size of the target when it was last accessed.
Windows链接文件包含目标的Mac时间,目标上次访问时的大小。
The computer Mac address and the serial number of the volume where the target was stored.
目标存储的计算机Mac地址和卷的序列号。
The network volume shared name, the fully qualified paths of the target file.
网络卷共享名,目标文件的完全限定路径。
The target's attributes such as hidden system encryption, compression, compressed, etcetera.
目标的属性,如隐藏的系统加密、压缩、压缩等等。
The shortcut files information.
快捷文件信息。
Reviews the existence of files that may no longer exist on the device they are examining.
检查正在检查的设备上可能不再存在的文件的存在。
These files might have been wipes, or deleted, or maybe still stored on USBor network share that was not acquired.
这些文件可能已经被擦除,或删除,或可能仍然存储在USB或网络共享,没有获得。
This information can lead you to identify a missing piece of evidence.
这些信息可以让你找到丢失的证据。
A number of tools including EnCase and FTK exist to pass out link file content for investigation.
许多工具,包括装箱和FTK存在,以传递链接文件内容供调查。
Next, let's look at thumbnails, which have been used by Windows since Windows 95.
接下来,让我们看看缩略图,Windows从95年就开始使用了缩略图。
The thumbnails file is automatically generated when a user views a folderthat has the thumbnails option on.
当用户查看带有缩略图选项的文件夹时,将自动生成缩略图文件。
It is a hidden database file that contains a set of small imagesfor every graphics file in the folder.
它是一个隐藏的数据库文件,为文件夹中的每个图形文件包含一组小图像。
The graphic files that are indexed in a thumbnails file include image files like Jpegs,BMPs, Gif, Pings, document image files such as PDFs, video files, and others.
缩略图文件中索引的图形文件包括图像文件,如jpeg、BMPs、Gif、Pings、文档图像文件,如pdf、视频文件等。
In Windows Primavera and earlier, Thumbnails are stored in Thumbnails.dbin the same directory with the graphics.
在Windows Primavera和更早的版本中,缩略图存储在缩略图中。数据库与图形在同一个目录中。
Since Windows Vista, some cache files are stored in a centralized location under explore.
由于Windows Vista,一些缓存文件存储在explore下的集中位置。
The centralized Thumbnail cache, includes a number of files called thumbcacheunderscore numerical number.db.
集中式缩略图缓存,包括许多文件称为缩略图缓存下划线number.db。
Why is Thumbnails file an important artifact?
为什么缩略图文件是一个重要的工件?
Images extracted from Thumbnails are crucial evidencefor the cases involving image forensic analysis.
从缩略图中提取的图像是涉及图像法医分析的案件的关键证据。
If a suspect is in charge of possessing indecent images, often the suspect will tryto delete the images before the police reach them.
如果嫌疑人被控拥有不雅图像,他通常会在警察到达之前试图删除这些图像。
However, a thumbnail of image often remains in the Thumbnails file evenafter the suspect has deleted image file itself.
然而,缩略图文件中经常保留图像的缩略图,即使在嫌疑人删除了图像文件本身之后也是如此。
Many people do not delete the Thumbnail files when deleting images,even if the Thumbnail file is deleted, it may still be recoverable.
许多人在删除图像时不会删除缩略图文件,即使缩略图文件被删除,它仍然可能是可恢复的。
In such cases, computer forensic investigator will recover the Thumbnails fileand extract each of the Thumbnail images, along with metadata information,such as the original image's name, and the date each Thumbnail was last written.
在这种情况下,计算机法医调查员将恢复缩略图文件,提取每个缩略图图像,以及元数据信息,如原始图像的名称,以及每个缩略图最后一次写入的日期。
Thumbnails show the files existed on the volume.
缩略图显示卷上存在的文件。
Several tools can be used to extract and view the data in a Thumbnails file, both EnCaseand FTK provide a simple user interface for viewing the Thumbnails with some .dband then some cache underscore number files.
可以使用一些工具提取和查看缩略图文件中的数据,EnCase和FTK都提供了一个简单的用户界面,可以使用一些.db和一些缓存下划线号文件查看缩略图。
>> Windows recycle bin is a hidden system folder.
>> Windows回收站是一个隐藏的系统文件夹。
In NTFS, each user has his own folder named with his SID numberto store all recycled files or subdirectories.
在NTFS中,每个用户都有自己的文件夹,其名称带有SID号,用于存储所有回收的文件或子目录。
Before Windows Vista, it used a hidden system file called INFO2to store those recycled files in directory information.
在Windows Vista之前,它使用了一个名为INFO2的隐藏系统文件将这些回收的文件存储在目录信息中。
So here I'm showing you Windows XP system.
这里展示的是Windows XP系统。
And there is a free tool called IE history.
还有一个免费的工具叫IE history。
And then this tool can be used to interpret INFO2 file because, as you know,the INFO2 filed is a binary file.
然后这个工具可以用来解释INFO2文件,因为如您所知,INFO2文件是一个二进制文件。
I believe this tool is included in helix cd.
我相信这个工具包含在helix cd中。
So I'll open it up.
我把它打开。
And I need to find that.
我需要找到它。
Now this program, why it is called open history file because this can also be usedto interpret IE.dat history, Internet history file.
现在这个程序,为什么它被称为打开的历史文件,因为这也可以用来解释IE。dat历史,互联网历史文件。
But here, and I just want to load INFO2 file.
但是这里,我只想加载INFO2文件。
So the INFO2 file should be under C, so I go to parent directoryin the C. This is a hidden folder and it's called the recycler in this case.
所以INFO2文件应该在C下,所以我转到C的父目录,这是一个隐藏的文件夹,在这个例子中叫做回收器。
Now one user, it's 500, this is an administrator.
现在有一个用户,是500,这是一个管理员。
And it has -- the administrator has its own folder for -- to recall --to restore all of the recycled files in subdirectories.
管理员有自己的文件夹,用来恢复子目录中所有回收的文件。
If you have another logon user, then you should see another folder with the long SID number.So I open up this.
如果您有另一个登录用户,那么您应该看到另一个具有长SID号的文件夹。我打开这个。
And you should see an INFO2 file in here.
您应该在这里看到一个INFO2文件。
So I select this and then say open.
我选择这个,然后打开。
So now this program interprets what is inside of INFO2 file.
现在这个程序解释INFO2文件中的内容。
Each entry will present one recycled file.
每个条目将显示一个可回收的文件。
It stores information about index so the index accumulates and when the dateand the time the file was deleted and then the original path because the filein the recycle bin is not really deleted.
它存储关于索引的信息,所以索引会累积,当文件被删除的日期和时间,然后是原始路径,因为回收站中的文件并没有真正被删除。
It's just put there to be deleted.
它只是被放在那里以便删除。
And the user can -- user is able to restore those data.
用户能够恢复这些数据。
That's why all of the information, the original path information should be thereand the file name, original file name.
这就是为什么所有的信息,原始路径信息应该在那里,还有文件名,原始文件名。
And it creates its own name in the INFO2 file as I described in the class.
它在INFO2文件中创建了自己的名称,正如我在类中描述的那样。
It started with D for the by which drive.
它从D开始表示哪个驱动器。
This original file from, this drive is from C drive.
这个原始文件来自,这个驱动器来自C驱动器。
And followed by the index number, so the index here is 44 and then followedby dot and original file's extension.
然后是索引号,这里的索引是44然后是。和原始文件的扩展名。
So that's the name used in the INFO2 file.
这就是INFO2文件中使用的名称。
Okay. Before I close this program, since it is called IE history reviewso also this program can be used to interpret IE history file index.dat.
好吧。在我关闭这个程序之前,因为它被称为IE历史回顾,所以这个程序也可以用来解释IE历史文件index.dat。
So let's look into one of the index.dat file.
我们来看看其中一个指标。dat文件。
So let me find that file.
让我找到那个文件。
Let's go back to C in the document settings since we are looking at the administrator user.
让我们在文档设置中回到C,因为我们正在查看管理员用户。
So go to administrator.
请转到管理员。
Go to local settings.
到本地设置。
By the way, if you use a different operating system then the location may vary.
顺便说一下,如果您使用不同的操作系统,那么位置可能会有所不同。
Okay. So here in Windows XP and I'm going to history and the history to dat and index.dat.
好吧。在Windows XP中,我选择history,然后是history to dat和index。dat。
Now this is also a binary file.
这也是一个二进制文件。
The same program can be used to interpret the binary file index.datwhich are called the Internet usage activities,the URL I have visited and then the date and the time.
可以使用相同的程序来解释二进制文件索引。这就是所谓的互联网使用活动,我访问过的网址,然后日期和时间。
Okay. So it's recorded, all the activities.
好吧。所有的活动都被记录下来了。
Now if I intentionally clear my history view than those record --this information will be gone but then some fancy tools can even recoverthat information from allocated space.
现在,如果我故意清除我的历史视图而不是那些记录——这些信息将会消失,但是一些花哨的工具甚至可以从分配的空间中恢复这些信息。
All right.
So if you look at the first link, and I did download and searched Rifiuti,which is also another free tool to look at INFO2 file.
如果你看第一个链接,我下载并搜索了Rifiuti,它也是另一个免费工具,可以查看INFO2文件。
So I will exit out, exit from this program, and then just quickly show you Rifiuti.
我将退出,退出这个程序,然后快速地给你们展示Rifiuti。
Okay. Open up.
好吧。开放。
Command prompt.
命令提示符。
And we are in C so now we need to show all of the hidden filesso Dir and I want to see show all file.
我们在C语言中,所以现在我们需要显示所有隐藏的文件,所以Dir和我想看到显示所有文件。
If it was out to slash A then you wouldn't see the hidden files.
如果它是斜杠,那么你不会看到隐藏的文件。
So you should be able to see recycler.
所以你应该能看到回收商。
So let's cd recycler.
我们来看看cd回收器。
Okay. And then again I want to show what's inside that.
好吧。然后我想再展示一下里面是什么。
And then we can do cd to that folder,the administrator's folder for his recycle information.
然后我们可以对那个文件夹做cd,管理员的文件夹,用于他的回收信息。
And then you will see the INFO2 file here.
然后您将在这里看到INFO2文件。
Okay. So there's INFO2 file here.
好吧。这里有INFO2文件。
And then now I use Rifiuti, which is very simple to use.
现在我用Rifiuti,它很简单。
It's free.
You can download from website or McAfee and I believe -- so this is the .exe.
你可以从网站或McAfee下载,这就是。exe。
Okay. And then I set interprets this Rifiuti -- use the Rifiuti program to interpret INFO2 file.
好吧。然后我设置了这个Rifiuti——使用Rifiuti程序来解释INFO2文件。
So here is interpretation index.
这是解释指数。
Now when we use IE history and I started with 44 but in this case the sequence is differentso this start at 39 up to 44 and the delete time.
现在当我们使用IE history时我从44开始但是在这个例子中序列是不同的从39开始到44,然后删除时间。
And now here it gives the drive number and gives out the path information and then the sizebut do not show you the filename which is internally used in INFO2because this program decided oh, you didn't need know that INFO2 file name because you only needto know where -- what is the filename, original path information.
而现在它给驱动器数量和大小,然后给出了路径信息但没有显示你的文件名在内部用于INFO2因为这个项目决定哦,你不需要知道INFO2文件名,因为你只需要知道,什么是文件名,原来的路径信息。
So it gave you all that information.
它给出了所有这些信息。
By the way, the INFO2 file name, which is started with D, it's important if you wantto search, if you want to search from an allocated devicein an allocated area to find information.
顺便说一下,INFO2文件名以D开头,如果您想搜索,如果您想从分配区域内的分配设备中搜索信息,那么它非常重要。
So all this information is reside in INFO2.
所以所有这些信息都驻留在INFO2中。
And both program interpret and then show you information from the INFO2 file.
这两个程序都可以解释并显示INFO2文件中的信息。
Each entry will present one recycled file or directory.
每个条目将显示一个可回收的文件或目录。
Okay. So that's it for this demo.
好吧。这就是这个演示。
转载于:https://www.cnblogs.com/sec875/articles/10015728.html
相关资源:Mastering Windows Network Forensics and Investigation(2nd) 无水印pdf