Solved

Windows Forensics How to use Recycle Bin Tool "Rifiuti"??

Posted on 2010-11-25
7
2,402 Views
Last Modified: 2012-05-10
Hi there! Does anyone knows how to properly utilize the "Rifiuti" tool which originated from McAfee Foundstone? I have tried it on a Windows XP platform but it does not output any results.

I have carefully followed the instructions on the man page but the program still does not output anything. The NTFS drive that I have used the tool is not encrypted therefore it should show some results. Can someone please advise on the proper codes or commands? Thanks!

The various commands that I have tried:

C:\RECYCLER\S-1-5-21-1004336348-1958367476-839522115-1003>dir /a
 Volume in drive C has no label.
 Volume Serial Number is B415-07D3

 Directory of C:\RECYCLER\S-1-5-21-1004336348-1958367476-839522115-1003

07/04/2008  12:46 PM    <DIR>          .
07/04/2008  12:46 PM    <DIR>          ..
07/04/2008  12:46 PM                65 desktop.ini
07/04/2008  12:46 PM                20 INFO2
               2 File(s)             85 bytes
               2 Dir(s)  111,852,953,600 bytes free

C:\RECYCLER\S-1-5-21-1004336348-1958367476-839522115-1003>C:\temp\rc\bin\rifiuti
.exe INFO2
INFO2 File: INFO2

INDEX   DELETED TIME    DRIVE NUMBER    PATH    SIZE

C:\RECYCLER\S-1-5-21-1004336348-1958367476-839522115-1003>C:\temp\rc\bin\rifiuti
.exe

Usage:  rifiuti [options] <filename>
        -d Field Delimiter (TAB by default)

Open in new window


Another similar command:

C:\temp\rc\bin>rifiuti.exe C:\RECYCLER\S-1-5-21-1004336348-1958367476-839522115-
1003\INFO2
INFO2 File: C:\RECYCLER\S-1-5-21-1004336348-1958367476-839522115-1003\INFO2

INDEX   DELETED TIME    DRIVE NUMBER    PATH    SIZE

Open in new window

0
Comment
Question by:VMthinker
  • 3
  • 2
  • 2
7 Comments
 
LVL 35

Accepted Solution

by:
torimar earned 250 total points
ID: 34211169
Your recycle bin is empty (apart from the obligatory desktop.ini and INFO2). Hence there is no data for the tool to output.

This is not so much a forensics tool as an analysis helper; it does not give you a "history" of the recycle bin in any way - if that is what you were after. It only analyses the INFO2 file which keeps a record on the current recycle bin items, as far as their original location, time deleted, size etc. are concerned.
0
 
LVL 2

Author Comment

by:VMthinker
ID: 34211488
@tor However when I used a windows explorer to navigate to the folder, I could see deleted files in there.
0
 
LVL 35

Expert Comment

by:torimar
ID: 34211565
You used the "dir" command above, and that did not show any deleted contents. Only the two hidden system files.
0
Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

 
LVL 2

Author Comment

by:VMthinker
ID: 34213122
Wierd though I used the dir /a command....
0
 
LVL 62

Expert Comment

by:btan
ID: 34220734
can see this PDF (link below) and it mentioned that INFO2 has the first record size found in 0x0C bytes from the start. Thereafter, the path of the deleted item and others would be found. Noticed that your INFO2 size is only 20bytes, I doubt it contained what you are looking for especially if the deleted items total size already exceed the INFO2 file size.

@ http://biznetnetworks.dl.sourceforge.net/project/odessa/ODESSA/White%20Papers/Recycler_Bin_Record_Reconstruction.pdf

The PDF also show the use of the Rifiuti tool. Possibility you may be in the wrong folder containing the INFO2 especially if this machine is multi-user etc. The correct folder based on user SID will locate the correct SID, you can double check this SID in your listed path using the PsGetSid tool.

@ http://technet.microsoft.com/en-us/sysinternals/bb897417.aspx
0
 
LVL 62

Assisted Solution

by:btan
btan earned 250 total points
ID: 34220742
thought I also share Rifiuti2 but I believe it should not be the tool if you try it on other machine as well.

@ http://www.caine-live.net/page11/page11.html
@ http://manpages.ubuntu.com/manpages/lucid/man1/rifiuti2.1.html

As its name indicates, rifiuti2 is a rewrite of rifiuti, Rifiuti (last updated 2004) is restricted to English version of Windows (fail to analyze any non-latin character), thus this rewrite. It also Supports Windows file names in any languages, Supports Vista and Windows 2008 “$Recycle.Bin” (no more uses INFO2 file), Enables localization (that is, translatable) by using glib, More rigorous error checking, Supports output in XML format.
0
 
LVL 2

Author Closing Comment

by:VMthinker
ID: 34236168
If there are clear commands to troubleshoot the problem it would be excellent.
0

Featured Post

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ok I have been working on this for some time having learned and gained certification in XenDesktop 4 along came version 5 which was released last month. Since then I have been working to deploy XenDesktop 5 in a small environment with only 2 virt…
If your system is showing symptoms of browser hijacks or 'google search redirects' check out my other article (http://rdsrc.us/u3GP7A) first and run the tool TDSSKiller (http://rdsrc.us/GDBBs4) to get rid of the infection. Once done, and if the …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question