Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Windows Forensics How to use Recycle Bin Tool "Rifiuti"??

Posted on 2010-11-25
7
2,427 Views
Last Modified: 2012-05-10
Hi there! Does anyone knows how to properly utilize the "Rifiuti" tool which originated from McAfee Foundstone? I have tried it on a Windows XP platform but it does not output any results.

I have carefully followed the instructions on the man page but the program still does not output anything. The NTFS drive that I have used the tool is not encrypted therefore it should show some results. Can someone please advise on the proper codes or commands? Thanks!

The various commands that I have tried:

C:\RECYCLER\S-1-5-21-1004336348-1958367476-839522115-1003>dir /a
 Volume in drive C has no label.
 Volume Serial Number is B415-07D3

 Directory of C:\RECYCLER\S-1-5-21-1004336348-1958367476-839522115-1003

07/04/2008  12:46 PM    <DIR>          .
07/04/2008  12:46 PM    <DIR>          ..
07/04/2008  12:46 PM                65 desktop.ini
07/04/2008  12:46 PM                20 INFO2
               2 File(s)             85 bytes
               2 Dir(s)  111,852,953,600 bytes free

C:\RECYCLER\S-1-5-21-1004336348-1958367476-839522115-1003>C:\temp\rc\bin\rifiuti
.exe INFO2
INFO2 File: INFO2

INDEX   DELETED TIME    DRIVE NUMBER    PATH    SIZE

C:\RECYCLER\S-1-5-21-1004336348-1958367476-839522115-1003>C:\temp\rc\bin\rifiuti
.exe

Usage:  rifiuti [options] <filename>
        -d Field Delimiter (TAB by default)

Open in new window


Another similar command:

C:\temp\rc\bin>rifiuti.exe C:\RECYCLER\S-1-5-21-1004336348-1958367476-839522115-
1003\INFO2
INFO2 File: C:\RECYCLER\S-1-5-21-1004336348-1958367476-839522115-1003\INFO2

INDEX   DELETED TIME    DRIVE NUMBER    PATH    SIZE

Open in new window

0
Comment
Question by:VMthinker
  • 3
  • 2
  • 2
7 Comments
 
LVL 35

Accepted Solution

by:
torimar earned 250 total points
ID: 34211169
Your recycle bin is empty (apart from the obligatory desktop.ini and INFO2). Hence there is no data for the tool to output.

This is not so much a forensics tool as an analysis helper; it does not give you a "history" of the recycle bin in any way - if that is what you were after. It only analyses the INFO2 file which keeps a record on the current recycle bin items, as far as their original location, time deleted, size etc. are concerned.
0
 
LVL 2

Author Comment

by:VMthinker
ID: 34211488
@tor However when I used a windows explorer to navigate to the folder, I could see deleted files in there.
0
 
LVL 35

Expert Comment

by:torimar
ID: 34211565
You used the "dir" command above, and that did not show any deleted contents. Only the two hidden system files.
0
Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

 
LVL 2

Author Comment

by:VMthinker
ID: 34213122
Wierd though I used the dir /a command....
0
 
LVL 63

Expert Comment

by:btan
ID: 34220734
can see this PDF (link below) and it mentioned that INFO2 has the first record size found in 0x0C bytes from the start. Thereafter, the path of the deleted item and others would be found. Noticed that your INFO2 size is only 20bytes, I doubt it contained what you are looking for especially if the deleted items total size already exceed the INFO2 file size.

@ http://biznetnetworks.dl.sourceforge.net/project/odessa/ODESSA/White%20Papers/Recycler_Bin_Record_Reconstruction.pdf

The PDF also show the use of the Rifiuti tool. Possibility you may be in the wrong folder containing the INFO2 especially if this machine is multi-user etc. The correct folder based on user SID will locate the correct SID, you can double check this SID in your listed path using the PsGetSid tool.

@ http://technet.microsoft.com/en-us/sysinternals/bb897417.aspx
0
 
LVL 63

Assisted Solution

by:btan
btan earned 250 total points
ID: 34220742
thought I also share Rifiuti2 but I believe it should not be the tool if you try it on other machine as well.

@ http://www.caine-live.net/page11/page11.html
@ http://manpages.ubuntu.com/manpages/lucid/man1/rifiuti2.1.html

As its name indicates, rifiuti2 is a rewrite of rifiuti, Rifiuti (last updated 2004) is restricted to English version of Windows (fail to analyze any non-latin character), thus this rewrite. It also Supports Windows file names in any languages, Supports Vista and Windows 2008 “$Recycle.Bin” (no more uses INFO2 file), Enables localization (that is, translatable) by using glib, More rigorous error checking, Supports output in XML format.
0
 
LVL 2

Author Closing Comment

by:VMthinker
ID: 34236168
If there are clear commands to troubleshoot the problem it would be excellent.
0

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Looking to disable remote computers 6 78
Need a bootable CD to delete a Linux partition ... 9 142
Blocking of USB Port 18 109
Event ID: 5719 / Source: NETLOGON 9 146
Can I legally transfer my OEM version of Windows to another PC?  (AKA - Can I put a new systemboard in my OEM PC?) Few of us are both IT and legal experts but we all have our own views of Microsoft's licensing rules and how they apply.  There are…
It is only natural that we all want our PCs to be in good working order, improved system performance, so that is exactly how programs are advertised to entice. They say things like:            •      PC crashes? Get registry cleaner to repair it!    …
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question