Solved

Windows Forensics How to use Recycle Bin Tool "Rifiuti"??

Posted on 2010-11-25
7
2,353 Views
Last Modified: 2012-05-10
Hi there! Does anyone knows how to properly utilize the "Rifiuti" tool which originated from McAfee Foundstone? I have tried it on a Windows XP platform but it does not output any results.

I have carefully followed the instructions on the man page but the program still does not output anything. The NTFS drive that I have used the tool is not encrypted therefore it should show some results. Can someone please advise on the proper codes or commands? Thanks!

The various commands that I have tried:

C:\RECYCLER\S-1-5-21-1004336348-1958367476-839522115-1003>dir /a
 Volume in drive C has no label.
 Volume Serial Number is B415-07D3

 Directory of C:\RECYCLER\S-1-5-21-1004336348-1958367476-839522115-1003

07/04/2008  12:46 PM    <DIR>          .
07/04/2008  12:46 PM    <DIR>          ..
07/04/2008  12:46 PM                65 desktop.ini
07/04/2008  12:46 PM                20 INFO2
               2 File(s)             85 bytes
               2 Dir(s)  111,852,953,600 bytes free

C:\RECYCLER\S-1-5-21-1004336348-1958367476-839522115-1003>C:\temp\rc\bin\rifiuti
.exe INFO2
INFO2 File: INFO2

INDEX   DELETED TIME    DRIVE NUMBER    PATH    SIZE

C:\RECYCLER\S-1-5-21-1004336348-1958367476-839522115-1003>C:\temp\rc\bin\rifiuti
.exe

Usage:  rifiuti [options] <filename>
        -d Field Delimiter (TAB by default)

Open in new window


Another similar command:

C:\temp\rc\bin>rifiuti.exe C:\RECYCLER\S-1-5-21-1004336348-1958367476-839522115-
1003\INFO2
INFO2 File: C:\RECYCLER\S-1-5-21-1004336348-1958367476-839522115-1003\INFO2

INDEX   DELETED TIME    DRIVE NUMBER    PATH    SIZE

Open in new window

0
Comment
Question by:VMthinker
  • 3
  • 2
  • 2
7 Comments
 
LVL 35

Accepted Solution

by:
torimar earned 250 total points
ID: 34211169
Your recycle bin is empty (apart from the obligatory desktop.ini and INFO2). Hence there is no data for the tool to output.

This is not so much a forensics tool as an analysis helper; it does not give you a "history" of the recycle bin in any way - if that is what you were after. It only analyses the INFO2 file which keeps a record on the current recycle bin items, as far as their original location, time deleted, size etc. are concerned.
0
 
LVL 2

Author Comment

by:VMthinker
ID: 34211488
@tor However when I used a windows explorer to navigate to the folder, I could see deleted files in there.
0
 
LVL 35

Expert Comment

by:torimar
ID: 34211565
You used the "dir" command above, and that did not show any deleted contents. Only the two hidden system files.
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 2

Author Comment

by:VMthinker
ID: 34213122
Wierd though I used the dir /a command....
0
 
LVL 61

Expert Comment

by:btan
ID: 34220734
can see this PDF (link below) and it mentioned that INFO2 has the first record size found in 0x0C bytes from the start. Thereafter, the path of the deleted item and others would be found. Noticed that your INFO2 size is only 20bytes, I doubt it contained what you are looking for especially if the deleted items total size already exceed the INFO2 file size.

@ http://biznetnetworks.dl.sourceforge.net/project/odessa/ODESSA/White%20Papers/Recycler_Bin_Record_Reconstruction.pdf

The PDF also show the use of the Rifiuti tool. Possibility you may be in the wrong folder containing the INFO2 especially if this machine is multi-user etc. The correct folder based on user SID will locate the correct SID, you can double check this SID in your listed path using the PsGetSid tool.

@ http://technet.microsoft.com/en-us/sysinternals/bb897417.aspx
0
 
LVL 61

Assisted Solution

by:btan
btan earned 250 total points
ID: 34220742
thought I also share Rifiuti2 but I believe it should not be the tool if you try it on other machine as well.

@ http://www.caine-live.net/page11/page11.html
@ http://manpages.ubuntu.com/manpages/lucid/man1/rifiuti2.1.html

As its name indicates, rifiuti2 is a rewrite of rifiuti, Rifiuti (last updated 2004) is restricted to English version of Windows (fail to analyze any non-latin character), thus this rewrite. It also Supports Windows file names in any languages, Supports Vista and Windows 2008 “$Recycle.Bin” (no more uses INFO2 file), Enables localization (that is, translatable) by using glib, More rigorous error checking, Supports output in XML format.
0
 
LVL 2

Author Closing Comment

by:VMthinker
ID: 34236168
If there are clear commands to troubleshoot the problem it would be excellent.
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

If you build your web application in Visual Studio you'll get at least a few binaries, or .DLL, files in your bin folder. However, there is more compiling to be done. Normally this would happen when an ASP.NET resource within the web site is request…
We have adopted the strategy to use Computers in Student Labs as the bulletin boards. The same target can be achieved by using a Login Notice feature in Group policy but it’s not as attractive as graphical wallpapers with message which grabs the att…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now