[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

Windows Forensics How to use Recycle Bin Tool "Rifiuti"??

Posted on 2010-11-25
7
Medium Priority
?
2,576 Views
Last Modified: 2012-05-10
Hi there! Does anyone knows how to properly utilize the "Rifiuti" tool which originated from McAfee Foundstone? I have tried it on a Windows XP platform but it does not output any results.

I have carefully followed the instructions on the man page but the program still does not output anything. The NTFS drive that I have used the tool is not encrypted therefore it should show some results. Can someone please advise on the proper codes or commands? Thanks!

The various commands that I have tried:

C:\RECYCLER\S-1-5-21-1004336348-1958367476-839522115-1003>dir /a
 Volume in drive C has no label.
 Volume Serial Number is B415-07D3

 Directory of C:\RECYCLER\S-1-5-21-1004336348-1958367476-839522115-1003

07/04/2008  12:46 PM    <DIR>          .
07/04/2008  12:46 PM    <DIR>          ..
07/04/2008  12:46 PM                65 desktop.ini
07/04/2008  12:46 PM                20 INFO2
               2 File(s)             85 bytes
               2 Dir(s)  111,852,953,600 bytes free

C:\RECYCLER\S-1-5-21-1004336348-1958367476-839522115-1003>C:\temp\rc\bin\rifiuti
.exe INFO2
INFO2 File: INFO2

INDEX   DELETED TIME    DRIVE NUMBER    PATH    SIZE

C:\RECYCLER\S-1-5-21-1004336348-1958367476-839522115-1003>C:\temp\rc\bin\rifiuti
.exe

Usage:  rifiuti [options] <filename>
        -d Field Delimiter (TAB by default)

Open in new window


Another similar command:

C:\temp\rc\bin>rifiuti.exe C:\RECYCLER\S-1-5-21-1004336348-1958367476-839522115-
1003\INFO2
INFO2 File: C:\RECYCLER\S-1-5-21-1004336348-1958367476-839522115-1003\INFO2

INDEX   DELETED TIME    DRIVE NUMBER    PATH    SIZE

Open in new window

0
Comment
Question by:VMthinker
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
7 Comments
 
LVL 35

Accepted Solution

by:
torimar earned 750 total points
ID: 34211169
Your recycle bin is empty (apart from the obligatory desktop.ini and INFO2). Hence there is no data for the tool to output.

This is not so much a forensics tool as an analysis helper; it does not give you a "history" of the recycle bin in any way - if that is what you were after. It only analyses the INFO2 file which keeps a record on the current recycle bin items, as far as their original location, time deleted, size etc. are concerned.
0
 
LVL 2

Author Comment

by:VMthinker
ID: 34211488
@tor However when I used a windows explorer to navigate to the folder, I could see deleted files in there.
0
 
LVL 35

Expert Comment

by:torimar
ID: 34211565
You used the "dir" command above, and that did not show any deleted contents. Only the two hidden system files.
0
Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

 
LVL 2

Author Comment

by:VMthinker
ID: 34213122
Wierd though I used the dir /a command....
0
 
LVL 65

Expert Comment

by:btan
ID: 34220734
can see this PDF (link below) and it mentioned that INFO2 has the first record size found in 0x0C bytes from the start. Thereafter, the path of the deleted item and others would be found. Noticed that your INFO2 size is only 20bytes, I doubt it contained what you are looking for especially if the deleted items total size already exceed the INFO2 file size.

@ http://biznetnetworks.dl.sourceforge.net/project/odessa/ODESSA/White%20Papers/Recycler_Bin_Record_Reconstruction.pdf

The PDF also show the use of the Rifiuti tool. Possibility you may be in the wrong folder containing the INFO2 especially if this machine is multi-user etc. The correct folder based on user SID will locate the correct SID, you can double check this SID in your listed path using the PsGetSid tool.

@ http://technet.microsoft.com/en-us/sysinternals/bb897417.aspx
0
 
LVL 65

Assisted Solution

by:btan
btan earned 750 total points
ID: 34220742
thought I also share Rifiuti2 but I believe it should not be the tool if you try it on other machine as well.

@ http://www.caine-live.net/page11/page11.html
@ http://manpages.ubuntu.com/manpages/lucid/man1/rifiuti2.1.html

As its name indicates, rifiuti2 is a rewrite of rifiuti, Rifiuti (last updated 2004) is restricted to English version of Windows (fail to analyze any non-latin character), thus this rewrite. It also Supports Windows file names in any languages, Supports Vista and Windows 2008 “$Recycle.Bin” (no more uses INFO2 file), Enables localization (that is, translatable) by using glib, More rigorous error checking, Supports output in XML format.
0
 
LVL 2

Author Closing Comment

by:VMthinker
ID: 34236168
If there are clear commands to troubleshoot the problem it would be excellent.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Are you unable to synchronize your OST (Offline Storage Table) file with Microsoft Exchange Server? Is your OST file exceeding 2 GB size limit? In Microsoft Outlook 2002 and earlier versions, there is a 2 GB size limit for the OST file. If the file …
Can you find a fax from a vendor you saved a decade ago in seconds? Have you ever cursed your PC under your breath during an audit because you couldn’t find the requested statement or driver history?  If you answered no to the first question or yes …
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question