Data Mining Windows Recycle Bin User Filesathena.ecs.csus.edu/~cookd/116/notes/CSc 116 - Summer...7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 11 Windows Vista, 7, 8,

1

Data Mining Windows User Files

Week 3 – Part 2

Windows Recycle Bin

It’s just a folder!

… an odd, strange, cheeky folder

Based of a recycling bin metaphor• place trash into the bin

• items in the bin will stay there until…

• …bin is emptied (or gets too full)

Recycle Bin has evolved over time

With every new major version:• location has changed

• format of deleted data has changed

7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 3

Windows Recycle Bin

1. It is actually, simply, moved to a special (hidden) folder on the same volume as the deleted file

2. This file is then renamed

3. Windows saves information about the files deletion time, original location, original filename, etc…


When a File is Dragged into it…

First, it is possible that two files, with the same name, can be deleted. The rename prevents a filename conflict

Second, the new name can be use a database key. This is the case with INFO


Why Rename the File?


Each volume has its own folder – C:, D:, etc…

Recycle Bin Location

Operating System Location

95, 98, ME volume:\Recycled\

XP, NT, 2000 volume:\Recycler\SID

Vista, 7, 8, 10 volume:\$Recycle.Bin\SID

2

Windows XP renamed the folder to Recycler

Deleted files are renamed with a “D” prefix

When the Recycle Bin is emptied, the “D” files are deleted

Windows XP / 2000 Recycle Bin

Recycle Bin Folder C:\Recycler

Rename Format D<original drive letter><random>.<original extension>

Deletion Data INFO2



Information about each deleted file is stored into database file named INFO

If when the Recycle Bin is emptied, the history will still be left in INFO


Recycle Bin Folder C:\Recycler

Rename Format D<original drive letter><random>.<original extension>

Deletion Data INFO2



Presence of deletion data in the INFO file…

• implies that the file was intentionally deleted

• files deleted by applications are not normally sent to the Recycle Bin

For each file, in the recycle bin, it contains:

• original path and filename of file

• time and date of file deletion

• new filename in the recycle bin (e.g. DC42.txt)

• index # in the recycle bin. If the system clock was changed, this can establish the order of deletion


The INFO File

The Recycle Bin folder is now $Recycle.Bin

Deleted files are renamed using a different format than XP

Deletion data is no longer stored in a single database

Windows Vista / 7 Recycle Bin

Recycle Bin Folder C:\$Recycle.Bin

Renamed Filename $R<random>.<original extension>

Deletion Data $I<random>.<original extension>


Windows Vista, 7, 8, 10

Each "R" file (the original) has a matching “I” file

It contains the deletion data

When the Recycle Bin is emptied, the "I" files may still remain

Windows Vista / 7 Recycle Bin

Recycle Bin Folder C:\$Recycle.Bin

Renamed Filename $R<random>.<original extension>

Deletion Data $I<random>.<original extension>


Windows Vista, 7, 8, 10


Windows 7 Recycle Bin

Windows Explorer Shows the current SID as “Recycle Bin”

3


Windows 7 Recycle Bin

Info file

Deleted file

Windows Profile Basics

You have to know where to look

Windows maintains a special folder for storing user data

For each user on the system, there is a subfolder for their files and settings


User Root Folder

The folder is named using the username rather than the SID found in the Registry

This folder is great interest to the investigator (understatement)


What's In This Folder

The data includes:

• Application data (hidden)

• User registry file (ntuser.dat)

• My Documents

• Cookies

• Desktop

• Favorites

• NetHood (hidden)


User Root Folder

However – just to make things fun – each version of Windows uses a different folder to store user data

As a result, you must know the version to know where to look

Fortunately, it can be quickly ascertained on inspection… unless the suspect is trying to trick you


Windows User Folder

4

Windows 95, 98 and ME

• Windows main folder is simply used if the computer is not setup for multiple users

• If multiple users are setup, a subfolder of Windows is used called “profiles”

Windows NT (and above) also adds:

• Administrator

• All users

• Default user (hidden)7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 19

Windows User Folder

Windows XP and 2000

• Use a folder called “Document and Settings”

• Stored at the root folder (C:\)

Windows 7, 8, 10

• The folder was renamed “users”

• Still stored at the root level


Windows User Folder

Version Location

95, 98, ME

C:\Windows\

C:\Windows\profiles\username\

NT C:\WinNT\profiles\username\

XP, 2000 C:\Documents and Settings\username\

Vista, 7, 8, 10 C:\Users\username\


Windows User Folder

Version Location

Mac-OS X /Users/username/

Linux /home/username/


Other Operating Systems

Temporary Internet Files

We do everything online, and leave tons of evidence

Systems connected to the Internet usually contain a wide variety of relevant data

These include:

• Web sites visited

• temporary Internet files!!

• chat room logs

• files downloaded


Internet Files

5

There are five major web browsers:

• Microsoft's Internet Explorer (aka “IE”)

• Microsoft Edge

• Mozilla Firefox (related to Netscape)

• Google Chrome

• Apple Safari

Browser popularity is constantly changing

So, knowing all browsers is important


Browser Files

Data the user, generally, knows about…

• saved passwords

• favorites (aka bookmarks), etc…

• page history list

Data they, generally, don't know about…

• cache files – saved for efficiency

• cookies


Browser Files

Browsers store parts of the websites you visit on your computer called the cache

This is true of all modern browsers including IE, Edge, Firefox, Safari, Google Chrome, etc…


Web Browser Cache

It helps load websites faster if you revisit them

For example:

• cache may contain an image

• the next time you visit the same website, the browser can use the cached file

• rather than re-download it


Web Browser Cache

You can find temporary files of pages the suspect has viewed

Examples:

• in the case of browser based e-mail, the file can be a webpage file with the e-mail

contained in it!

• if the user viewed porn online, these images can be in the cache


Web Browser Cache

Date-time stamp of the file is great evidence

Corresponds to the date-time that the Webpage (and its associated files) was viewed

Correlate this with the date-time stamp of files downloaded to determine the origin of such files


Web Browser Cache

6

Browsers often maintain list of sites the user has visited

• it’s a bit of a privacy risk

• remains intact when the cache files are deleted

• some browsers can auto-clear the history when the browser is existed

Tools exist to display the contents in a nice, usable format


Web Browser History

Cookies are text files saved on your computer by websites

• these are created (“baked”) by the web server

• only visible to the site that created them

They are used legitimately to

• keep you logged onto a website

• maintain temporary session data


Cookies

Cookie timestamps may also provide useful information about what sites were visited and when

The contents can be interpreted by the site that generated them


Cookies

Internet Explorer Files

Data-mining Internet Explorer

Created by Microsoft

Was “fused” into Windows with the release of Windows in 98

Even though the GUI has changed, significantly over time, each works the same “behind the scenes”


Internet Explorer

Location of the cache (temp) folder is not obvious

Although the user folder contains a subfolder called “Internet Explorer" this is not where the files are stored


Internet Explorer Cache

7

Instead…

• they are in “Temporary Internet Files”

• history file is in the “content.ie5” subfolder

• a subfolder of “content.ie5” (with a randomly generated name) contains the cache and cookies

This is true of all versions of IE (even up to version 10)


Internet Explorer Cache

Internet Explorer cached files are renamed, but preserve the original extension

Note: The Windows front-end tends to lie

• if you use Explorer to get to “temporary Internet Files”, it shows you an abstract – not real data

• “temporary internet files” is actually hidden from view – even if you select "Show Hidden

Files"


Cache Files

History is stored in “index.dat”

• also contains hash indexing for the cache

When the user clears the history…

• IE does not delete the file or wipe data

• just like a hard drive, space is marked as “unallocated” and can be recovered

• so, even if the suspect thinks they are covering their tracks, they are sadly mistaken!


Internet Explorer: History


Each path is located within the user’s root folder

Internet Explorer: Cache, and Cookies

OS Location

95, 98, ME, NT …\Temporary Internet Files\Content.ie5\random\

XP, 2000…\Local Settings\

Temporary Internet Files\Content.ie5\random\

Vista, 7, 8, 10…\AppData\Local\Microsoft\Windows\

Temporary Internet Files\Content.ie5\random\



Internet Explorer: History

OS Location

95, 98, ME, NT …\Temporary Internet Files\Content.ie5\index.dat

XP, 2000…\Local Settings\

Temporary Internet Files\Content.ie5\index.dat

Vista, 7, 8, 10…\AppData\Local\Microsoft\Windows\

Temporary Internet Files\Content.ie5\index.dat

Microsoft Edge Files

Microsoft's new browser

8

Microsoft formally retired Internet Explorer with the release of Windows 10

Although, IE is still included

Microsoft, instead, has a new browser called Edge (originally called Spartan)



Edge is odd – it modernizes some of the behavior of IE, but maintains the older approach as IE

The folders used by Edge very buried very, VERY, deep in the Application Data folder

Each version changes the folder (since it is based on a file version hash



History file information…

• is shared with Internet Explorer!

• though, the slightly moved the folder

And – while buried very deep – the cache style used by Edge is identical to IE

So, one can argue that Edge is IE


Here it Gets Weird



Edge Cache

OS Location

Windows 10

…\AppData\Local\Packages\

Microsoft.MicrosoftEdge_random\AC\#!001\

MicrosoftEdge\Cache

Mozilla Firefox Files

Data-mining Mozilla Firefox

Created by Mozilla

Generally considered more secure than IE or Chrome

Interesting features

• anti-phishing technology (urlclassifier)

• built-in spell checker!


Mozilla Firefox

9

FireFox generates a unique “ID” for each user on the system

• this is separate from the Windows username

• the ID is used to create a subfolder for each user in the application data folder

FireFox uses “SQLite” database files

• browser history is stored into a “places.sqlite”

• cookies are stored into “cookies.sqlite”

• tools can read the contents of SQLite files7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 49

Firefox SQL Files



Firefox History

OS Location

95, 98, ME, NT…\Application Data\

Mozilla\Firefox\Profiles\ID\places.sqlite

XP, 2000…\Application Data\

Mozilla\Firefox\Profiles\ID\places.sqlite

Vista, 7, 8, 10…\AppData\

Roaming\Mozilla\Firefox\Profiles\ID\places.sqlite

Cached files, like IE, are stored in a folder

• but the name and extension are both changed

• In Windows Vista, 7, the cache is stored under the Local folder of Application Data

There are three types of files:

• Cache Map File

• Three Cache Block Files

• Separate Cache Data Files


Firefox Cache



Firefox Cache

OS Location

95, 98, ME, NT…\Application Data\

Mozilla\Firefox\Profiles\ID\cache\

XP, 2000…\Application Data

\Mozilla\Firefox\Profiles\ID\cache\

Vista, 7, 8…\AppData\

Local\Mozilla\Firefox\Profiles\ID\cache2

Filename Description

content-prefs.sqlite User-specific settings

cookies.sqlite Cookies

downloads.sqlite Download history

formhistory.sqlite Items typed into online forms and search bars

permissions.sqlite Site-specific settings – cookies, scripting, etc…

places.sqlite Browsing History

search.sqlite Search engine plug-in settings

signons.sqlite Stored passwords

webappstore.sqlite DOM data – a more secure form of cookies


Other Firefox databases

Google Chome Files

Now the #1 browser

10

Created by the Google Corporation

Very minimalist graphical user interface

Recently became the most popular web browsers (replacing Internet Explorer)


Google Chrome

Cached files are stored in a folder

• like Firefox, name and extension are changed

• In Windows Vista, 7, the cache is stored under the Local folder of Application Data

There are three types of files:

• main Index file

• data files

• cache files


Chrome Cache

Like Firefox, the original extension and name are changed

Every piece of data stored in the cache has a unique "cache address"

Stored as a 32-bit (hex digit) code


Chrome Cache



Chrome Cache

OS Location

XP, 2000…\Application Data\Google\Chrome\User

Data\Default\Cache

Vista, 7, 8, 10…\AppData\Local\Google\Chrome\User

Data\Default\Cache

Quite interestingly, Chrome stores browser history in a SQLite database

This is the same system used by Mozilla Firefox - although, the record format is different

The "default" folder contains this, cookie files, bookmarks, etc…


Chrome History



Chrome SQL Files

OS Location

XP, 2000…\Application Data\Google\Chrome\User

Data\Default

Vista, 7, 8, 10…\AppData\Local\Google\Chrome\User

Data\Default

11


…\AppData\Local\Google\Chrome\User Data\Default\

Chrome Databases

Filename Description

Bookmarks Favorite websites (called bookmarks by Chrome)

Cookies Website cookies

Current Tabs Currently opened websites

History Browser history

Preferences User preferences (homepage, toolbars, etc…)

Windows File Metadata

Thar be gold in ‘dem files

Added in Windows 95 to make it easy for users to find files and programs

Shortcut can actually link to any a file or folder


Windows Shortcuts

The Start Menu, also added in 95, makes extensive use of shortcuts

Shortcuts, are actually files themselves with the extension .lnk


Windows Shortcuts

The target path

Type of volume (removable, fixed hard drive, etc)

Volume label and serial number

- this can be used to connect a file to a unique volume!

File’s size in bytes

Creation, last access, and modification times of the target


Shortcut Contents

Even if the target file is deleted, the shortcut may still exist

Existence of the link indicates the file did

exist – this may help you look in unallocated space and backups

Even if the file is not located, the shortcut may imply the data was copied to a removable disk!


Windows Shortcuts

12

Starting with Windows XP, the user can view a folder’s contents using “thumbnails”

Generating these thumbnails takes a lot of time and system resources

For efficiency, after Windows creates a thumbnail, it cachesthe image for future use


Thumbnail Databases

In Windows XP / 2000…

• every folder, that has images, contains a hidden file called thumbs.db

• this file contains the thumbnails in OLE format – same format used by Microsoft Office

The same thumbnail files are shared by any user that opens the folder

So, you can't tell who saw it


Windows XP, 2000

In Windows Vista, 7, 8…

• thumbnails were moved into a several central databases located in the user’s folder

• …\AppData\Local\Microsoft\Windows\Explorer

Now…

• each thumbnail folder is personal to the user

• now you can tell who created the thumbnail


Windows Vista, 7 ,8


Windows 7 Thumbnail Databases

Even if the original image was deleted… it still may be available in the thumbnail cache!

So, you can tell that the image did exist on the suspect’s computer and that they

looked at it!

Pedophiles have been convicted by this


Thumbnail Database

Several tools exist that can read them:

• Encase

• Windows File Analyzer

• Accessdata FTK

• OS Forensics


Thumbnail Database

13

Windows Spooler

What did the suspect print?

Even today, we still need to print documents (paperless

future? …Bah!)

So, printers are an essential part of computer technology

Printers are often networked so a single printer can be used by lab, office, etc….


Windows Spooler

There are some challenges…

• printers may have multiple users

• printers are slower than computers

• printers are all different – does every program need to know how to talk to every printer?

As a result, operating systems have a feature called the spooler


Windows Spooler

1. Applications send data to the spooler using the same format

2. Spooler saves the data and waits for access to the printer

3. It then sends the data

• at the printer’s speed

• the printer’s driver translates the spooler data for the printer


What happens…

The spooled data is stored in a folder on your computer

The location of the folder changed slightly between Windows 9x and XP


Windows Spool Folder

There can be data left in this folder that can be of great interest to the investigator

Warning…

• folder can be moved by the user – though VERY unlikely

• double check the registry


Windows Spool Folder

14

OS Location

95, 98, ME C:\Windows\Spool\Printers

XP, NT, 2000 C:\Windows\System32\Spool\Printers

Vista, 7, 8, 10 C:\Windows\System32\Spool\Printers


Default Print Spool Location


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\

Windows NT\CurrentVersion\Print\Printers

Registry: Print Spooler

Data is sent in either RAW or EMF

EMF (enhanced metafile format)

• most commonly used

• the same format for clipart!

RAW

• indicates the data will be sent to the printer exactly as stored

• e.g. Postscript, ASCII


Print Formats

For each print job, two files are created

The "spool" (.spl) file

• contains the data that is ready to print

The matching “shadow” (.shd) file

• contains print settings.

• includes the number of copies, print tray to use, print quality, and useful metadata


Print Spool Folder Contents

File File Pattern Contents

Spool File <Job ID>.SPL spooled data that is ready to be printed

Shadow File <Job ID>.SHD Print settings: # copies, tray, etc…

The Spool File has the extension SPL

The matching Shadow File has the extension SHD


Print Spool Folder Contents

There are a number of tools that can view spooler files

Some products

• EMF Spool Viewer

• O&K Printer Viewer


Spooler Viewers

15

Examining Logs

Not pleasant, but very useful

A log is a computer file that contains a recording of actions performed on a computer

There are tons of different log at your disposal created by servers, routers, applications, etc…


Examining Logs

Practically all logs use different formats

• most logs are stored in simple ASCII format and can be read by any text editor

• logs for similar systems – routers, web servers, etc… tends to contain the same data

• …but in different formats

Interpreting them requires time and caution

e.g.: time is displayed is it GMT or local?


Examining Logs

Logs are a wealth of information on dates, ports and IP Addresses

Sometimes the data payload may contain usernames and passwords

Log files and state tables of past and recent connections may be of use in an investigation


TCP/IP Related Digital Evidence

Authentication logs can show which account was associated with activity and often an IP

E-mail, Web and other Internet servers may also have authentication logs useful for connecting online activities with an individual.


Authentication Logs

Many Applications have logs containing information about peoples’ activities

FTP transfer logs can show files that were transferred or deleted.

Web server logs can record the client IP address and the file or pages that it requested.

E-mail server maintains logs of the headers of mail that it gets or sends


Application Logs

16

Operating systems also maintain log files of system activities

Unix systems generally retain more TCP/IP related information than Windows Event Logs

Newer versions of UNIX/Linux typically store their log files in /var/adm or /var/log

Most UNIX system logs only contain information about incoming traffic not outgoing


Operating System Logs

Network devices, such as routers, may log a history of communication

When useful…

• determine if two computers communicated with each other – i.e. send data

• good place to look in cases of stolen/transferred files

• also good to determine network intrusion


Network Device Logs

Router logs

• record all incoming and outgoing traffic

• have rules to allow or disallow traffic

• you can follow the path of a transmitted e-mail

Firewall logs

• filter e-mail traffic

• verify whether the e-mail passed through


Routers and Firewalls

Some devices have limited memory

• logs can take a large amount of hard disk space

• so, data can be overwritten after a certain time period has elapsed

Transmitted logs

• instead of storing logs locally, some devices send them over a network to other systems for logging

• UNIX/Linux maintains logs on network devices in /var/log/messages and /var/log/secure


Log Limits

Microsoft Exchange Server (Exchange)

• uses a database

• based on Microsoft Extensible Storage Engine

• logs information about MAPI (Messaging Application Program Interface) and more

Information Storage files

• .edb files – Responsible for MAPI information

• .stm files – non-MAPI information


Microsoft E-mail Server Logs

Tools allow you to find:• e-mail database files

• personal e-mail files

• offline storage files

• log files

Advantages..• don't need to know how e-mail servers/clients work

• saves considerable time

• however, you still need to understand the source and how the data was found – for court


Specialized E-mail / Log Tools

96

17

AccessData’s Forensic Toolkit (FTK)

ProDiscover Basic

FINALeMAIL

Sawmill-GroupWise

DBXtract

Fookes Aid4Mail and MailBag Assistant

Paraben E-Mail Examiner

Ontrack Easy Recovery EmailRepair

R-Tools R-Mai


Specialized E-mail / Log Tools